[ANN] Security releases of JupyterHub, Auth0, LTI authenticators

minrk · March 26, 2026, 10:03pm

We’ve just published security releases of 3 JupyterHub packages:

JupyterHub 5.4.4 fixes an open redirect vulnerability (CVE-2026-33709)
jupyterhub-ltiauthenticator 1.6.3 fixes a possible Denial-of-Service attack in LTI11Authenticator (CVE-2026-34052)
oauthenticator 17.4.0 fixes email verification in Auth0OAuthenticator (CVE-2026-33175)

These are included in the 4.3.3 release of the jupyterhub helm chart.

All jupyterhub users are encouraged to upgrade.

The full advisories will be published at the above links 7 days after the fixed releases, one week from today (2026-04-02).

Paul2708 · March 27, 2026, 11:55am

Thanks for providing patches!
Just want to mention that the changelog of Z2JH v4.3.3 is currently not present on the website.

minrk · March 27, 2026, 3:27pm

thanks! it was released from a backport branch, so it’s on the 4.3.3 page, but I’ll make sure to update changelog on latest as well.

Topic		Replies	Views
[ANN] Security releases: JupyterHub 4.1.6, 5.1.0 JupyterHub announcement , release , security	1	179	August 8, 2024
[ANN] Critical security fix when using GlobusOAuthenticator with JupyterHub 5.0 in some configurations JupyterHub announcement	0	77	June 11, 2024
JupyterHub 1.5.0, zero-to-jupyterhub 1.2.0 security release JupyterHub announcement , security	0	968	November 4, 2021
JupyterHub 4.1.0 - security release JupyterHub announcement , release	3	314	March 27, 2024
JupyterHub Helm chart 0.11.0 released! Zero to JupyterHub on Kubernetes release	0	1146	January 14, 2021