External risk intelligence

Jupyter Server Stored XSS with Kernel RCE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44727

Jupyter Server is commonly deployed as a web application accessible via a browser. While often used for data science in internal environments, it is frequently exposed over the network as a web-based service for team collaboration and remote access, making the web interface and associated endpoints readily reachable in many deployment patterns.

Cross-site Scripting

Jupyter Server

before 2.20.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Jupyter Server's web application handling could allow an attacker to execute code remotely by tricking a user into opening a specially crafted notebook. This could lead to unauthorized access to sensitive data and system control. The primary concern is confirming if this technology is in use within our environment and identifying any potential exposure.

  • Stored XSS in Jupyter Server can lead to remote code execution.
  • Confirms exposure to sensitive data and system control.
  • Assess relevance and confirm exposure within the organization.

Attack Path

How an attacker could exploit the issue

An attacker could gain access to a Jupyter server through its web interface, where a user with low privileges might be tricked into viewing a specially crafted notebook. This notebook contains malicious HTML, which is then rendered by the server without proper security checks, allowing the attacker to execute arbitrary code with the user's permissions and access sensitive server APIs.

  • Requires authenticated access to the server.
  • User views a notebook with malicious HTML.
  • Leads to remote code execution and data theft.

Live Threat

Current exploitation, exposure, and threat context

When a user opens a crafted notebook, it could lead to the execution of malicious code within the Jupyter Server's environment. This is because the server may render untrusted HTML content without proper sanitization, potentially allowing an attacker to access cookies, escalate privileges to `/api/*` endpoints, and even achieve remote code execution on the server.

  • Stored XSS and kernel RCE.
  • Notebooks with crafted HTML outputs.
  • Unauthorized server access and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability in Jupyter Server. The first practical step is to identify all instances of the affected technology, confirm their accessibility and business criticality, and then assign an owner for remediation planning based on the assessed risk.

  • Determine affected Jupyter Server instances.
  • Verify reachability and business criticality.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Jupyter Server?

Jupyter Server acts as the core backend engine that powers interactive web applications like JupyterLab and Jupyter Notebooks. It manages the communication between a user's web browser and the computational kernels where data analysis and code execution occur. By providing essential HTTP services, it allows multiple users to collaborate, run code, and visualize data remotely through a centralized browser interface.

How does CVE-2026-44727 lead to a security weakness?

This vulnerability involves a Stored Cross-Site Scripting (XSS) weakness, categorized as CWE-79. Because the software fails to sanitize notebook output or enforce strict Content-Security-Policy headers, it allows malicious HTML embedded in a notebook to execute in the browser. When rendered, this script can hijack a user's session, enabling unauthorized access to critical server APIs and potentially escalating to full remote code execution on the underlying kernel.

Can this vulnerability be triggered without user interaction?

No, the vulnerability is not triggered automatically by simply hosting a file. An attacker must successfully trick an authenticated user into opening and viewing a specifically crafted notebook that contains the malicious HTML payload. If a notebook is stored on the server but never opened or viewed by a user within their browser, the malicious script remains dormant and does not execute.

Why should I care about this if my Jupyter Server is internal?

Even for internal services, Halo Surface Signal notes that Jupyter Server is frequently deployed as a web application intended for team collaboration and remote access. This often makes the web interface reachable across broader internal network segments than initially intended. If an attacker gains initial access to your network, they could target the web interface to compromise the server and gain full control over the environment.

What is the first step to address this CVE?

Your priority is to inventory your environment to locate all active instances of Jupyter Server. Once you have a complete list, verify the version of each instance to determine if it is earlier than 2.20. Identifying which servers are reachable by users and assigning an owner for each instance will allow your team to coordinate the necessary updates to version 2.20 or higher, where this specific security flaw is addressed.

References