CVE-2020-26261
📋 TL;DR
This vulnerability in jupyterhub-systemdspawner exposes JupyterHub API tokens to all users on the system. Attackers can steal these tokens to impersonate legitimate users and access their Jupyter notebooks. The-littlest-jupyterhub distributions are particularly affected as they use systemdspawner by default.
💻 Affected Systems
- jupyterhub-systemdspawner
- the-littlest-jupyterhub
📦 What is this software?
Systemdspawner by Jupyterhub
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all JupyterHub user sessions, allowing attackers to access sensitive data, execute arbitrary code, and potentially pivot to other systems using stolen credentials.
Likely Case
Unauthorized access to user notebooks, data theft, and potential privilege escalation within the JupyterHub environment.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still exposes user sessions to local attackers.
🎯 Exploit Status
Exploitation requires local shell access but is trivial once obtained. No authentication bypass needed beyond local user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.15
Vendor Advisory: https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
Restart Required: Yes
Instructions:
1. Update jupyterhub-systemdspawner: pip install --upgrade jupyterhub-systemdspawner>=0.15
2. Restart JupyterHub service: systemctl restart jupyterhub
3. Verify all single-user notebook servers restart with new configuration
🔧 Temporary Workarounds
Switch to alternative spawner
linuxUse a different JupyterHub spawner like dockerspawner or kubespawner instead of systemdspawner
pip install jupyterhub-dockerspawner
Configure jupyterhub_config.py to use dockerspawner
Restrict systemd unit access
linuxTighten systemd unit permissions to prevent other users from reading environment variables
chmod 600 /run/systemd/system/jupyter-*.service
systemctl daemon-reload
🧯 If You Can't Patch
- Implement strict user isolation and limit shell access to trusted administrators only
- Monitor systemd unit files and environment variable access for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check systemdspawner version: pip show jupyterhub-systemdspawner | grep VersionCheck Version:
pip show jupyterhub-systemdspawner | grep VersionVerify Fix Applied:
Verify version >=0.15 and check that API tokens are no longer exposed in systemd unit environment files📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same IP
- Unusual API token usage patterns
- User sessions from unexpected locations
Network Indicators:
- Unusual API calls to JupyterHub endpoints
- Multiple user sessions from same source
SIEM Query:
source="jupyterhub" AND (event="authentication_failure" OR event="token_usage") | stats count by src_ip, user🔗 References
- https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
- https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
- https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
- https://pypi.org/project/jupyterhub-systemdspawner/
- https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
- https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
- https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
- https://pypi.org/project/jupyterhub-systemdspawner/
