CVE-2026-33175
Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
Description
### Summary An authentication bypass vulnerability in `oauthenticator` allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When `email` is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. ### Impact This is an **Authentication Bypass Vulnerability**. Any Auth0 tenant leveraging the `Auth0OAuthenticator` mapping the `email` claim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user. ### Patches - Upgrade oauthenticator to 17.4 ### Workarounds - Check `email_verified` field in an `Authenticator.post_auth_hook` function - Do not use `email` as the username claim - [Enforce email verification in auth0](https://support.auth0.com/center/s/article/Enforce-Email-Verification-With-Sending-Email-After-Each-Denied-Access)
How to fix CVE-2026-33175
To remediate CVE-2026-33175, upgrade the affected package to a fixed version below.
- —upgrade to 17.4.0 or later
Is CVE-2026-33175 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 17.4.0
CVSS scores
| Source | Version |
|---|