GHSA-rrvg-cxh4-qhrv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rrvg-cxh4-qhrv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rrvg-cxh4-qhrv/GHSA-rrvg-cxh4-qhrv.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rrvg-cxh4-qhrv
- Aliases
- Related
- Published
- 2026-04-03T21:35:37Z
- Modified
- 2026-04-06T23:20:53.437849Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
- Details
-
Summary
An authentication bypass vulnerability in
oauthenticatorallows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. Whenemailis used as the usrname_claim, this gives users control over their username and the possibility of account takeover.Impact
This is an Authentication Bypass Vulnerability. Any Auth0 tenant leveraging the
Auth0OAuthenticatormapping theemailclaim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user.Patches
- Upgrade oauthenticator to 17.4
Workarounds
- Check
email_verifiedfield in anAuthenticator.post_auth_hookfunction - Do not use
emailas the username claim - Enforce email verification in auth0
- Database specific
{ "severity": "HIGH", "github_reviewed_at": "2026-04-03T21:35:37Z", "cwe_ids": [ "CWE-287", "CWE-290" ], "github_reviewed": true, "nvd_published_at": "2026-04-03T22:16:26Z" }- References
-
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv
- https://nvd.nist.gov/vuln/detail/CVE-2026-33175
- https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9
- https://github.com/jupyterhub/oauthenticator
- https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0
- https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access
Affected packages
PyPI / oauthenticator
Package
- Name
- oauthenticator
- View open source insights on deps.dev
- Purl
- pkg:pypi/oauthenticator
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.4.0
Affected versions
0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.9.0
0.10.0
0.11.0
0.12.0
0.12.1
0.12.2
0.12.3
0.13.0
14.*
14.0.0
14.1.0
14.2.0
15.*
15.0.0
15.0.1
15.1.0
16.*
16.0.0
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.0.7
16.1.0
16.1.1
16.2.0
16.2.1
16.3.0
16.3.1
17.*
17.0.0
17.1.0
17.2.0
17.3.0