Zero Day MonitorZDM

← Back to list

5.9

CVE-2026-34052PATCHED

pypa · jupyterhub-ltiauthenticator

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

Description

LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service. This issue has been patched in version 1.6.3.

Affected Products

Vendor	Product	Versions
pypa	jupyterhub-ltiauthenticator	< 1.6.3

References

https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-8mxq-7xr7-2fxj(x_refsource_CONFIRM)
https://github.com/jupyterhub/ltiauthenticator/releases/tag/1.6.3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-34052 | jupyterhub ltiauthenticator up to 1.6.2 memory leak (GHSA-8mxq-7xr7-2fxj)

→ No new info (linked only)

CVSS 3.15.9 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

jupyterhub-ltiauthenticator@1.6.3

CWECWE-401, CWE-770

PublishedApr 3, 2026

Last enriched5d agov2

Tags

GHSA-8mxq-7xr7-2fxjpip

Trending Score11

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-39981

AGiXT has a Path Traversal in safe_join()

HIGHCVE-2026-34824

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

HIGHCVE-2024-49048

TorchGeo Remote Code Execution Vulnerability

CRITICALCVE-2025-15036

A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present

CRITICALCVE-2025-15379

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: affectedVersions, severity

Apr 4, 2026

Patch Available

Apr 6, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated affected versions to include 1.6.2, changed severity to HIGH, and noted no exploit available.

affectedVersionsseverity

via VulDB

v16d ago

Initial creation