NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Research library

MEDIUM · Disclosure May 7, 2026

Ncsu Jupyterhub Cve 2026 33709

Bill Rondell, Nick Adams & Dade Murphy — May 7, 2026 — medium · disclosure — 2 min read — 411 words

To: security@ncsu.edu Cc: abuse@mcnc.org, abuse@nuclide-research.com Subject: JupyterHub on jupyter.csc.ncsu.edu (152.14.199.179). CVE-2026-33709 open redirect, upgrade to 5.4.4

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-07

This is an unsolicited good-faith coordinated-disclosure notification under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). Severity: MEDIUM.

The IP block is registered to MCNC (the regional research network for North Carolina universities); the operator is NC State University Department of Computer Science. CCing abuse@mcnc.org so the network owner is in the loop, but the actual fix is operator-side at NCSU.

Summary

jupyter.csc.ncsu.edu (152.14.199.179) runs JupyterHub 5.3.0 on TornadoServer 6.4.2 over HTTPS, with a valid InCommon RSA cert via Internet2 and a strong CSP (frame-ancestors 'none'). The auth model is intact (/hub/api/info → 403). HTTPS is enforced (port 80 → 308 redirect to HTTPS).

The single applicable CVE is CVE-2026-33709 (open redirect via the post-login ?next= parameter). JupyterHub 5.3.0 is one minor release behind 5.4.4 which patches it.

Evidence (passive probes only)

$ curl -sI http://152.14.199.179/
HTTP/1.1 308 Permanent Redirect
Location: https://152.14.199.179/

$ curl -sI -k https://jupyter.csc.ncsu.edu/
HTTP/2 405
Server: TornadoServer/6.4.2
Content-Security-Policy: frame-ancestors 'none'; report-uri /hub/security/csp-report
X-Jupyterhub-Version: 5.3.0

$ curl -sI -k https://jupyter.csc.ncsu.edu/hub/api/info
HTTP/2 403
X-Jupyterhub-Version: 5.3.0

The deployment posture is otherwise good. Strong CSP, XSRF tokens, HTTPS-enforced, valid academic-CA cert. This is a single-CVE version-currency advisory, not a structural issue.

CVE-2026-33709 (open redirect)

JupyterHub 5.3.0 contains an open-redirect vulnerability in the post-login ?next= handling: an attacker can craft a link like

https://jupyter.csc.ncsu.edu/hub/login?next=http://attacker.example/phish

A user who clicks this sees the legitimate NCSU JupyterHub login, authenticates correctly, and then gets redirected to the attacker-controlled site post-auth. The redirect can be used as a phishing primitive to harvest follow-on credentials (e.g., on a fake “your session expired, please log in again” page hosted on the attacker domain).

The fix is in JupyterHub 5.4.4: the post-login redirect target is now restricted to same-origin URLs.

Recommendation

Upgrade JupyterHub 5.3.0 → 5.4.4+. This is a single minor-version bump and patches the only applicable CVE.

The deployment otherwise needs no remediation. Strong CSP + HTTPS + XSRF + valid cert is the right shape.

IOCs

TypeValue
Affected host152.14.199.179 (jupyter.csc.ncsu.edu)
ServiceJupyterHub 5.3.0 on TornadoServer 6.4.2
Open portstcp/80 (308 → HTTPS), tcp/443
TLSInCommon RSA Server CA 2 (Internet2 academic CA)
VulnerabilityCVE-2026-33709 (open redirect, fixed in 5.4.4)
WHOIS network ownerMCNC (North Carolina regional research network), abuse@mcnc.org
Operator contactsecurity@ncsu.edu

Reference

Full triage case study: AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/multi-jupyterhub-edu-survey-2026-05-07.md

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT