Uic Jupyterhub Cve 2026 33709

To: esteban@uic.edu Cc: security@uic.edu, abuse@nuclide-research.com Subject: JupyterHub on compaasgold06.evl.uic.edu (131.193.78.37). CVE-2026-33709 open redirect, upgrade to 5.4.4

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-07

This is an unsolicited good-faith coordinated-disclosure notification under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). Severity: MEDIUM.

The contact is the ARIN-listed OrgAbuseEmail for UIC’s IP block. The host appears to be EVL’s “CompAAS Gold” research compute appliance. Please forward to the appropriate EVL operator if esteban@uic.edu is the central UIC abuse handler rather than the operator.

Summary

compaasgold06.evl.uic.edu (131.193.78.37) runs JupyterHub 5.3.0 behind nginx 1.24.0 over HTTPS. Auth model is intact (root path returns the JupyterHub login page; /hub/api/info requires auth).

CVE-2026-33709 (post-login open redirect) applies. Upgrade JupyterHub to 5.4.4+ to patch.

Evidence (passive probes only)

$ curl -sI -k https://compaasgold06.evl.uic.edu/
HTTP/2 200
Server: nginx/1.24.0 (Ubuntu)
X-Jupyterhub-Version: 5.3.0

$ curl -sk https://compaasgold06.evl.uic.edu/ | grep -E "<title>"
<title>JupyterHub</title>

The nginx 1.24.0 reverse-proxy fronts JupyterHub 5.3.0 at the root path. Other than the version-currency CVE, the deployment is in good shape.

Recommendation

Upgrade JupyterHub 5.3.0 → 5.4.4+ to patch CVE-2026-33709.

IOCs

Reference

Full triage case study: AI-LLM-Infrastructure-OSINT/blob/main/case-studies/commercial/multi-jupyterhub-edu-survey-2026-05-07.md

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT