JustAppSec
Back to news

OAuthenticator patches Auth0 email-claim authentication bypass

1 min readPublished 03 Apr 2026Updated 03 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-33175NewsIdentityPython

TL;DR — A claim-mapping flaw in oauthenticator’s Auth0 integration can let attackers log in as other JupyterHub users when email is used as the username claim and email verification isn’t enforced.

What happened

oauthenticator is a Python package that plugs OAuth2 identity providers (IdPs) into JupyterHub, commonly used to front internal notebooks and multi-tenant compute with SSO.

CVE-2026-33175 describes an authentication bypass in Auth0OAuthenticator: an attacker with an unverified email address on the target Auth0 tenant can still authenticate to JupyterHub. When deployments map the Auth0 email claim to the JupyterHub username (i.e., email used as username_claim), this gives users control over the resulting username and creates a practical account takeover path if the attacker can register with an unverified email matching an existing user.

Severity is CVSS v3.1 8.8 (High) (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). This is a recurring failure mode in SSO integrations: treating “presence of a claim” as equivalent to “claim is verified / trustworthy” is enough to collapse identity boundaries.

Who is impacted

  • JupyterHub deployments using jupyterhub/oauthenticator with Auth0OAuthenticator.
  • Deployments that use Auth0 email as the JupyterHub username claim (the advisory calls out email as username_claim).
ComponentAffected versionsPatched version
oauthenticator (pip)< 17.4.017.4.0

What to do now

  • Follow vendor remediation guidance and apply the patched release.

    • "Upgrade oauthenticator to 17.4"

  • Reduce immediate takeover risk in Auth0-backed deployments:

    • "Check email_verified field in an Authenticator.post_auth_hook function"

    • "Do not use email as the username claim"

    • "Enforce email verification in auth0"

  • Incident-minded validation:
    • Review JupyterHub auth logs for new/unknown Auth0 identities logging in as established JupyterHub usernames (especially where usernames are email addresses).
    • If suspicious access is found, rotate credentials/tokens reachable from user notebook environments (common blast radius in JupyterHub setups).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.