CVE-2026-33709

Name	CVE-2026-33709
Description	JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a JupyterHub page, bypassing JupyterHub's check to prevent this. This issue has been patched in version 5.4.4.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jupyterhub (PTS)	bookworm	3.0.0+ds1-1	vulnerable
	trixie	5.2.1+ds1-4	vulnerable
	forky, sid	5.2.1+ds1-5	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
jupyterhub	source	(unstable)	(unfixed)

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-3vff-hjqv-m7h8