CVE-2018-7206
CVE-2018-7206 is a high-severity vulnerability in Jupyter Oauthenticator with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 6.5
- EPSS exploit prediction: 2% (75th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Jupyter Oauthenticator
- Published:
- Last modified:
Description
An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.)
Frequently asked questions
- What is CVE-2018-7206?
- An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.)
- How severe is CVE-2018-7206?
- CVE-2018-7206 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-7206 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (75th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2018-7206?
- CVE-2018-7206 primarily affects Jupyter Oauthenticator. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-7206?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2018-7206 published?
- CVE-2018-7206 was published on 2018-02-18 and last updated on 2026-06-17.
References
- https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76
- https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16
- https://github.com/jupyterhub/oauthenticator/commit/1845c0e4b1bff3462c91c3108c85205acd3c75a2
Affected products (5)
- cpe:2.3:a:jupyter:oauthenticator:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:oauthenticator:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:oauthenticator:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:oauthenticator:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:oauthenticator:0.7.2:*:*:*:*:*:*:*
More vulnerabilities in Jupyter Oauthenticator
- CVE-2026-33175 — High (CVSS 8.8): OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to…
- CVE-2024-29033 — High (CVSS 7.5): OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's…
- CVE-2020-26250 — Medium (CVSS 6.3): OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the…
- CVE-2022-31027 — Medium (CVSS 4.2): OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the…