Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims
High severity
GitHub Reviewed
Published
Apr 2, 2026
in
jupyterhub/oauthenticator
•
Updated Apr 6, 2026
Description
Published to the GitHub Advisory Database
Apr 3, 2026
Reviewed
Apr 3, 2026
Published by the National Vulnerability Database
Apr 3, 2026
Last updated
Apr 6, 2026
Summary
An authentication bypass vulnerability in
oauthenticatorallows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. Whenemailis used as the usrname_claim, this gives users control over their username and the possibility of account takeover.Impact
This is an Authentication Bypass Vulnerability. Any Auth0 tenant leveraging the
Auth0OAuthenticatormapping theemailclaim to the JupyterHub username is impacted. By default, Auth0 handles email verification as a user flag, not a hard block to authentication streams. If an attacker can register an account with the Auth0 tenant with an unverified email and knows the email of an existing user on the system, they can authenticate as that user.Patches
Workarounds
email_verifiedfield in anAuthenticator.post_auth_hookfunctionemailas the username claimReferences