CVE-2026-33175
Summary
An authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover.
Impact
This is an Authentication Bypass Vulnerability. Any Auth0 tenant leveraging the Auth0OAuthenticator mapping the email claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user.
Patches
- Upgrade oauthenticator to 17.4
Workarounds
- Check
email_verifiedfield in anAuthenticator.postauthhookfunction - Do not use
emailas the username claim - Enforce email verification in auth0
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv, https://nvd.nist.gov/vuln/detail/CVE-2026-33175, https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9, https://github.com/jupyterhub/oauthenticator, https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0, https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access
Basic Information
