CVE-2026-40110
highCVSS v3 Base Score
7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 99% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
Low
Availability
None
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in Jupyter Server. The Origin header validation, which uses Python's `re.match()` function, does not correctly validate incoming origins against allowed patterns. This allows a remote attacker to bypass Cross-Origin Resource Sharing (CORS) restrictions by crafting a malicious domain that partially matches a trusted one. Consequently, the attacker can make unauthorized cross-origin requests to the Jupyter Server API from an untrusted site, potentially leading to sensitive information disclosure or other unauthorized actions.
CWE
CWE-625Affected Products
Migration Toolkit for Applications 8Red Hat OpenShift AI (RHOAI)