PyPI: jupyterlab

CVE-2026-42266

Safety vulnerability ID: SFTY-20260505-46550

Safety legacy ID: pyup.io-96033

Affected versions of the jupyterlab package are vulnerable to Improper Access Control because the PyPI Extension Manager fails to enforce the configured extension allow list. The allowed_extensions_uris configuration setting was not correctly applied by the PyPI Extension Manager, and the manager itself was not constrained to packages served from the default PyPI index, so administrative restrictions intended to prevent users from installing arbitrary packages did not take effect.

PythonPyPINVDNVDGitHubGHSA
Created at: Jun 5, 2026Updated at: Jun 5, 2026

Overview

JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request

Advisory

Affected versions of the jupyterlab package are vulnerable to Improper Access Control because the PyPI Extension Manager fails to enforce the configured extension allow list. The allowed_extensions_uris configuration setting was not correctly applied by the PyPI Extension Manager, and the manager itself was not constrained to packages served from the default PyPI index, so administrative restrictions intended to prevent users from installing arbitrary packages did not take effect.

Affected Package

Affecting jupyterlab package, versions
>=4.0.0,<=4.5.6

Also affects

---

How to Fix

Upgrade
jupyterlab
to
4.5.7
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more