Fluid Attacks Database

Description

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jupyterlab	>=4.0.0 <4.5.7	4.5.7
debian 13	jupyterlab	=4.0.11+ds1+~cs11.25.27-7 \|\| =4.0.11+ds1+~cs11.25.27-8 \|\| =4.0.11+ds1+~cs11.25.27-9 \|\| =4.0.11+ds2+~cs11.25.27-1	-
debian 14	jupyterlab	=4.0.11+ds1+~cs11.25.27-7 \|\| =4.0.11+ds1+~cs11.25.27-8 \|\| =4.0.11+ds1+~cs11.25.27-9 \|\| =4.0.11+ds2+~cs11.25.27-1	-

Aliases

1. CVE-2026-422662. NVD-2026-422663. OSV-2026-422664. OSV-DEBIAN-2026-422665. GHSA-37w4-hwhx-4rc46. GCVE-2026-422667. SECURITY-TRACKER-CVE-2026-42266

References

1. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc42. https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.73. https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html4. https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.