GHSA-RRVG-CXH4-QHRV

Vulnerability from github – Published: 2026-04-03 21:35 – Updated: 2026-04-06 23:09
VLAI?
Summary
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
Details

Summary

An authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.

Impact

This is an Authentication Bypass Vulnerability. Any Auth0 tenant leveraging the Auth0OAuthenticator mapping the email claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user.

Patches

  • Upgrade oauthenticator to 17.4

Workarounds

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "oauthenticator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "17.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:35:37Z",
    "nvd_published_at": "2026-04-03T22:16:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAn authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.\n\n### Impact\n\nThis is an **Authentication Bypass Vulnerability**. Any Auth0 tenant leveraging the `Auth0OAuthenticator` mapping the `email` claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user.\n\n### Patches\n\n- Upgrade oauthenticator to 17.4\n\n### Workarounds\n\n- Check `email_verified` field in an `Authenticator.post_auth_hook` function\n- Do not use `email` as the username claim\n- [Enforce email verification in auth0](https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access)",
  "id": "GHSA-rrvg-cxh4-qhrv",
  "modified": "2026-04-06T23:09:50Z",
  "published": "2026-04-03T21:35:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/oauthenticator"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0"
    },
    {
      "type": "WEB",
      "url": "https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.