{"id":"PYSEC-2026-164","details":"JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.","aliases":["BIT-jupyterlab-2026-42266","CVE-2026-42266","GHSA-37w4-hwhx-4rc4"],"modified":"2026-05-27T13:56:09.132550385Z","published":"2026-05-13T16:16:47.017Z","references":[{"type":"WEB","url":"https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html"},{"type":"WEB","url":"https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations"},{"type":"ADVISORY","url":"https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4"},{"type":"FIX","url":"https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7"}],"affected":[{"package":{"name":"jupyterlab","ecosystem":"PyPI","purl":"pkg:pypi/jupyterlab"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.5.7"}]}],"versions":["4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.0a1","4.1.0a2","4.1.0a3","4.1.0a4","4.1.0b0","4.1.0b1","4.1.0b2","4.1.0rc0","4.1.0rc1","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.2.0","4.2.0a0","4.2.0a1","4.2.0a2","4.2.0b0","4.2.0b1","4.2.0b2","4.2.0b3","4.2.0rc0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.3.0","4.3.0a0","4.3.0a1","4.3.0a2","4.3.0b0","4.3.0b1","4.3.0b2","4.3.0b3","4.3.0rc0","4.3.0rc1","4.3.1","4.3.2","4.3.3","4.3.4","4.3.5","4.3.6","4.3.7","4.3.8","4.4.0","4.4.0a0","4.4.0a1","4.4.0a2","4.4.0a3","4.4.0b0","4.4.0b1","4.4.0b2","4.4.0rc0","4.4.0rc1","4.4.1","4.4.10","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.0a0","4.5.0a1","4.5.0a2","4.5.0a3","4.5.0a4","4.5.0b0","4.5.0b1","4.5.0rc0","4.5.0rc1","4.5.1","4.5.2","4.5.3","4.5.4","4.5.5","4.5.6"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2026-164.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}