CVE-2026-42557

CVE-2026-42557 is a high-severity cross-site scripting (XSS) vulnerability in jupyterlab (pip), affecting versions <= 4.5.6. It is fixed in 4.5.7, 7.5.6.

Summary

JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user.

Single-click impact

An attacker convincing the victim to click on a single button or link can:

  • execute arbitrary code in the available kernels,
  • delete files leading to information loss; in principle the loss could be unrecoverable, depending on server configuration and attack complexity,
  • open multiple kernels/terminals at once, or create multiple files at once, putting significant stress on the server and thus deny availability for other users when using standalone multi-tenant jupyter-server deployment, and to a lesser degree impact availability on JupyterHub deployments.

The arbitrary code execution will be immediately visible to the user; and can be halted by the timely user intervention. The deletion of files can be silent and go unnoticed for some time.

Multi-click attacks

An attacker who convinces the victim to click on multiple buttons in specific order and to grant access to clipboard (or in scenarios where the user already granted keyboard access) can obtain full access to the terminal and execute arbitrary commands in the environment with access scope that might exceed that of available kernels. Only users of Chromium-based browsers are susceptible to this expanded variant of the attack.

The execution of commands in the terminal would be immediately visible to the user.

Impact of third-party extensions

The impact described above assumes a plain JupyterLab/Notebook installation. In environments with frontend extensions that contribute additional commands the attack surface is increased by the functionality covered by these commands.

JupyterLab 4.5.7

Workarounds

No workarounds are available for end-users.

Downstream applications inheriting from JupyterFrontEnd or JupyterLab can effectively disable the CommandLinker by passing commandLinker: new CommandLinker({ commands: new CommandRegistry() }) option in the initialization options.

Hardening

The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:

{
  "@jupyterlab/apputils-extension:sanitizer": {
    "allowCommandLinker": false
  }
}

Resources

Impact

An attacker who shares a notebook or a Markdown file - via email, GitHub, or a Binder link - can invoke an arbitrary command upon a single click by the victim. The button can be rendered inside the output area and be visually indistinguishable from a legitimate widget. No kernel needs to start; the HTML output is stored in the notebook file and displayed immediately on open.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-42557 has a CVSS score of 9.6 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.7, 7.5.6); upgrading removes the vulnerable code path.

Affected versions

jupyterlab (<= 4.5.6) notebook (>= 7.0.0, <= 7.5.5)

Security releases

jupyterlab → 4.5.7 (pip) notebook → 7.5.6 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

jupyterlab to 4.5.7 or later; notebook to 7.5.6 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42557? CVE-2026-42557 is a high-severity cross-site scripting (XSS) vulnerability in jupyterlab (pip), affecting versions <= 4.5.6. It is fixed in 4.5.7, 7.5.6. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-42557? CVE-2026-42557 has a CVSS score of 9.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-42557?
    • jupyterlab (pip) (versions <= 4.5.6)
    • notebook (pip) (versions >= 7.0.0, <= 7.5.5)
  4. Is there a fix for CVE-2026-42557? Yes. CVE-2026-42557 is fixed in 4.5.7, 7.5.6. Upgrade to this version or later.
  5. Is CVE-2026-42557 exploitable, and should I be worried? Whether CVE-2026-42557 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42557 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42557?
    • Upgrade jupyterlab to 4.5.7 or later
    • Upgrade notebook to 7.5.6 or later

Other vulnerabilities in jupyterlab

CVE-2026-42266CVE-2026-40171CVE-2025-59842CVE-2024-43805CVE-2024-22421

Stop the waste.
Protect your environment with Kodem.