CVE-2026-33175
Published: 03 April 2026
Summary
CVE-2026-33175 is a high-severity Improper Authentication (CWE-287) vulnerability in Jupyter Oauthenticator. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass by requiring timely remediation of the flaw through patching to OAuthenticator version 17.4.0 or later.
Ensures secure selection, configuration, and monitoring of identity providers like Auth0 to prevent authentication bypass via unverified emails.
Enforces secure configuration settings for OAuthenticator, such as avoiding email as username_claim with unverified Auth0 accounts, to block username control and account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-33175 is an authentication bypass vulnerability in OAuthenticator for the public-facing JupyterHub web application, directly enabling exploitation of a public-facing application for unauthorized access and potential account takeover.
NVD Description
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login…
more
to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
Deeper analysisAI
CVE-2026-33175 is an authentication bypass vulnerability (CWE-287, CWE-290) affecting OAuthenticator, a software component that enables OAuth2 identity providers to integrate with JupyterHub. Versions prior to 17.4.0 are vulnerable, particularly when using Auth0 as the identity provider and configuring email as the username_claim. Published on April 3, 2026, the flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An attacker with an unverified email address on an Auth0 tenant can exploit this vulnerability to bypass authentication and log in to JupyterHub. This grants the attacker control over their username selection and enables potential account takeover of existing users by claiming their email-based usernames. The low-privilege requirement (PR:L) aligns with the need for a basic, unverified account on the Auth0 tenant, making exploitation feasible over the network with low complexity and no user interaction.
The issue has been addressed in OAuthenticator version 17.4.0, as detailed in the project's security advisory (GHSA-rrvg-cxh4-qhrv), release notes, and patching commit. Security practitioners should upgrade to version 17.4.0 or later and review configurations using email as username_claim with Auth0 to mitigate risks.
Details
- CWE(s)