Home / Vulnerability Intelligence / CVE-2026-33175

CVE-2026-33175 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 3, 2026

OAuthenticator - Authentication Bypass

Published: April 3, 2026Updated: April 3, 2026Remote Exploitable

Overview

OAuthenticator < 17.4.0 contains an authentication bypass caused by unverified email addresses on Auth0 tenants when email is used as username_claim, letting attackers login and potentially take over accounts, exploit requires unverified email on Auth0.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can bypass authentication and take over user accounts, leading to unauthorized access.

Mitigation

Update to version 17.4.0 or later.

References

https://github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9
https://github.com/jupyterhub/oauthenticator/releases/tag/17.4.0
https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33175
Severity: High
CVSS Score: 8.8
Type: broken_authentication
Status: new

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H