CVE-2026-33175 OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims

🗓️ 03 Apr 2026 21:56:26Reported by GitHub_MType

CVE-2026-33175 enables login bypass in OAuthenticator via unverified email claims; fixed in 17.4.0.

Reporter	Title	Published	Views	Family All 17
ATTACKERKB	CVE-2026-33175	3 Apr 202621:56	–	attackerkb
Chainguard	CVE-2026-33175 vulnerabilities	6 Apr 202619:32	–	cgr
Circl	CVE-2026-33175	3 Apr 202623:01	–	circl
CNNVD	OAuthenticator 安全漏洞	3 Apr 202600:00	–	cnnvd
CVE	CVE-2026-33175	3 Apr 202621:56	–	cve
EUVD	EUVD-2026-18878	3 Apr 202621:35	–	euvd
Github Security Blog	Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims	3 Apr 202621:35	–	github
NVD	CVE-2026-33175	3 Apr 202622:16	–	nvd
OSV	CGA-MVJP-V692-QC98	6 Apr 202616:30	–	osv
OSV	CLEANSTART-2026-AN27706 Security fixes for CVE-2026-22815, CVE-2026-30922, CVE-2026-31958, CVE-2026-32597, CVE-2026-33175, CVE-2026-34052, CVE-2026-34073, CVE-2026-34513, CVE-2026-34514, CVE-2026-34515, CVE-2026-34516, CVE-2026-34517, CVE-2026-34518, CVE-2026-34519, CVE-2026-34520, CVE-2026-34525, CVE-2026-44431, CVE-2026-44432, ghsa-752w-5fwx-jx9f, ghsa-78cv-mqj4-43f7, ghsa-gc5v-m9x4-r6x2, ghsa-jr27-m4p2-rc6r, ghsa-m959-cc7f-wv43, ghsa-qjxf-f2mg-c6mc applied in versions: 4.3.2-r0, 4.3.2-r1, 4.3.2-r2, 4.3.2-r3	18 May 202613:26	–	osv

[
  {
    "vendor": "jupyterhub",
    "product": "oauthenticator",
    "versions": [
      {
        "version": "< 17.4.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/jupyterhub/oauthenticator/security/advisories/GHSA-rrvg-cxh4-qhrv
github	www.github.com/jupyterhub/oauthenticator/commit/f0c7002dc36e41efae0f674033cf7888a21d96f9
github	www.github.com/jupyterhub/oauthenticator/releases/tag/17.4.0

03 Apr 2026 21:56Current

CVSS 3.18.8

EPSS0.00148