{"id":"CVE-2020-26261","details":"jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15","aliases":["GHSA-cg54-gpgr-4rm6","PYSEC-2020-52"],"modified":"2026-05-19T04:01:24.386024831Z","published":"2020-12-09T17:15:30.603Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015"},{"type":"ADVISORY","url":"https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6"},{"type":"FIX","url":"https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580"},{"type":"PACKAGE","url":"https://pypi.org/project/jupyterhub-systemdspawner/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jupyterhub/systemdspawner","events":[{"introduced":"0"},{"fixed":"7d7cf42db76d9cfa5a4bc42fff14943877ac570b"},{"fixed":"a4d08fd2ade1cfd0ef2c29dc221e649345f23580"}],"database_specific":{"cpe":"cpe:2.3:a:jupyterhub:systemdspawner:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.15"}]}}],"versions":["0.14.0","v0.13","v0.11","v0.10","v0.9.9","0.9.7","v0.9.6","v0.9.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26261.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}