CVE-2021-41194
9.1 CRITICALFirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub
Published: 2021-10-28 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-284
Affected products
| Vendor | Product |
|---|---|
| jupyterhub | first_use_authenticator |
Description
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41194
- [Patch]https://github.com/jupyterhub/firstuseauthenticator/pull/38
- [Patch]https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
- [Other]https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3
- [Patch]https://github.com/jupyterhub/firstuseauthenticator/pull/38
- [Patch]https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
- [Other]https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3
Related CVEs
Same vendor
- CVE-2021-39160 — nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path (9.6 CRITICAL)
Same CWE
- CVE-2026-47261 — Wasmtime is a runtime for WebAssembly (7.5 HIGH)
- CVE-2026-50892 — Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attacke... (6.5 MEDIUM)
- CVE-2026-50891 — Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a cra... (8.1 HIGH)
- CVE-2026-50886 — Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources vi... (9.1 CRITICAL)
- CVE-2026-50885 — Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive... (7.5 HIGH)