CVE-2026-33175

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33175
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33175.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-33175
Aliases
Downstream
Related
Published
2026-04-03T21:56:26.830Z
Modified
2026-05-18T11:54:51.426232984Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims
Details

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.

Database specific 
{
    "cwe_ids": [
        "CWE-287",
        "CWE-290"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33175.json"
}
References

Affected packages

Git / github.com/jupyterhub/oauthenticator

Affected ranges

Type
GIT
Repo
https://github.com/jupyterhub/oauthenticator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cf70f25172af0dbfeaefd5f72192727bc0897ab6

Affected versions

0.*
0.10.0
0.11.0
0.12.0
0.12.1
0.12.3
0.13.0
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
14.*
14.0.0
14.1.0
14.2.0
15.*
15.0.0
15.0.1
15.1.0
16.*
16.0.0
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.0.7
16.1.0
16.1.1
16.2.0
16.2.1
16.3.0
16.3.1
17.*
17.0.0
17.1.0
17.2.0
17.3.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33175.json"