Cyber Resilience

CVE-2026-33175

High

Published: 03 April 2026

Published
03 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33175 is a high-severity Improper Authentication (CWE-287) vulnerability in Jupyter Oauthenticator. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-13 (Identity Providers and Authorization Servers).

Deeper analysis

CVE-2026-33175 is an authentication bypass vulnerability (CWE-287, CWE-290) affecting OAuthenticator, a software component that enables OAuth2 identity providers to integrate with JupyterHub. Versions prior to 17.4.0 are vulnerable, particularly when using Auth0 as the identity provider and configuring email as the username_claim. Published on April 3, 2026, the flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker with an unverified email address on an Auth0 tenant can exploit this vulnerability to bypass authentication and log in to JupyterHub. This grants the attacker control over their username selection and enables potential account takeover of existing users by claiming their email-based usernames. The low-privilege requirement (PR:L) aligns with the need for a basic, unverified account on the Auth0 tenant, making exploitation feasible over the network with low complexity and no user interaction.

The issue has been addressed in OAuthenticator version 17.4.0, as detailed in the project's security advisory (GHSA-rrvg-cxh4-qhrv), release notes, and patching commit. Security practitioners should upgrade to version 17.4.0 or later and review configurations using email as username_claim with Auth0 to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login…

more

to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-33175 is an authentication bypass vulnerability in OAuthenticator for the public-facing JupyterHub web application, directly enabling exploitation of a public-facing application for unauthorized access and potential account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-25574Same vendor: Jupyter
CVE-2026-42266Same vendor: Jupyter
CVE-2026-5422Same vendor: Jupyter
CVE-2025-1104Shared CWE-287, CWE-290
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2018-25316Shared CWE-290
CVE-2026-7022Shared CWE-287
CVE-2025-69401Shared CWE-290
CVE-2026-35622Shared CWE-290

Affected Assets

jupyter
oauthenticator
≤ 17.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass by requiring timely remediation of the flaw through patching to OAuthenticator version 17.4.0 or later.

prevent

Ensures secure selection, configuration, and monitoring of identity providers like Auth0 to prevent authentication bypass via unverified emails.

prevent

Enforces secure configuration settings for OAuthenticator, such as avoiding email as username_claim with unverified Auth0 accounts, to block username control and account takeover.

References