CVE-2026-40934: CWE-613: Insufficient Session Expiration in jupyter-server jupyter_server
Jupyter Server versions 2. 17. 0 and earlier have an insufficient session expiration vulnerability where the secret used to sign authentication cookies is stored in a static file and never rotated after a password change. This allows previously issued session cookies to remain valid even after a password reset, enabling an attacker who has captured a session cookie to maintain authenticated access. The issue affects password-based authentication deployments, especially shared or public-facing servers. This vulnerability has been fixed in version 2. 18. 0.
AI Analysis
Technical Summary
Jupyter Server (jupyter_server) versions prior to 2.18.0 persist the secret key used to sign authentication cookies in a static file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is not rotated upon user password changes. Consequently, session cookies issued before a password reset remain cryptographically valid, allowing attackers who have obtained such cookies to retain access despite password updates. This represents an insufficient session expiration vulnerability (CWE-613) impacting password-based authentication, particularly in environments where session revocation upon credential changes is expected. The vulnerability is addressed in version 2.18.0.
Potential Impact
An attacker who has captured a valid session cookie prior to a password reset can continue to access the Jupyter Server with the same privileges, bypassing the intended session invalidation that should occur after password changes. This undermines the security of password-based authentication and session management, potentially allowing unauthorized persistent access to the server. The vulnerability is rated high severity with a CVSS 4.0 score of 7.6.
Mitigation Recommendations
Upgrade Jupyter Server to version 2.18.0 or later, where the issue has been fixed by rotating the signing key upon password changes to invalidate existing session cookies. Until the upgrade is applied, be aware that password resets do not revoke existing sessions, so additional session management controls or temporary mitigations may be necessary in shared or public-facing deployments. Patch status is confirmed fixed in version 2.18.0.
CVE-2026-40934: CWE-613: Insufficient Session Expiration in jupyter-server jupyter_server
Description
Jupyter Server versions 2. 17. 0 and earlier have an insufficient session expiration vulnerability where the secret used to sign authentication cookies is stored in a static file and never rotated after a password change. This allows previously issued session cookies to remain valid even after a password reset, enabling an attacker who has captured a session cookie to maintain authenticated access. The issue affects password-based authentication deployments, especially shared or public-facing servers. This vulnerability has been fixed in version 2. 18. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Jupyter Server (jupyter_server) versions prior to 2.18.0 persist the secret key used to sign authentication cookies in a static file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is not rotated upon user password changes. Consequently, session cookies issued before a password reset remain cryptographically valid, allowing attackers who have obtained such cookies to retain access despite password updates. This represents an insufficient session expiration vulnerability (CWE-613) impacting password-based authentication, particularly in environments where session revocation upon credential changes is expected. The vulnerability is addressed in version 2.18.0.
Potential Impact
An attacker who has captured a valid session cookie prior to a password reset can continue to access the Jupyter Server with the same privileges, bypassing the intended session invalidation that should occur after password changes. This undermines the security of password-based authentication and session management, potentially allowing unauthorized persistent access to the server. The vulnerability is rated high severity with a CVSS 4.0 score of 7.6.
Mitigation Recommendations
Upgrade Jupyter Server to version 2.18.0 or later, where the issue has been fixed by rotating the signing key upon password changes to invalidate existing session cookies. Until the upgrade is applied, be aware that password resets do not revoke existing sessions, so additional session management controls or temporary mitigations may be necessary in shared or public-facing deployments. Patch status is confirmed fixed in version 2.18.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.518Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa665ccbff5d861029ec75
Added to database: 5/5/2026, 9:51:24 PM
Last enriched: 5/5/2026, 10:06:20 PM
Last updated: 5/5/2026, 11:16:10 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.