GHSA-rch3-82jr-f9w9: Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
Summary
Jupyter Notebook has a stored XSS (cross-site scripting, a type of attack where malicious code runs in a user's browser when they view a webpage or file) vulnerability that lets attackers steal authentication tokens (credentials that prove who you are) by tricking users into clicking fake controls in malicious notebook files. An attacker who steals these tokens can take over a user's account, read files, run code, and access the system.
Solution / Mitigation
Update to Jupyter Notebook 7.5.6 or JupyterLab 4.5.7, which include patches. As a temporary workaround, disable the help extension by running: `jupyter labextension disable @jupyter-notebook/help-extension` and `jupyter labextension disable @jupyterlab/help-extension`. For additional hardening, disable command linker functionality by adding this to `overrides.json`: `{"@jupyterlab/apputils-extension:sanitizer": {"allowCommandLinker": false}}`.
Vulnerability Details
EPSS: 0.0%
Yes
April 30, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-rch3-82jr-f9w9
First tracked: April 30, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%