{"id":"GHSA-cg54-gpgr-4rm6","summary":"user-readable api tokens in systemd units for JupyterHub","details":"### Impact\nuser API tokens issued to single-user servers are specified in the environment of systemd units, which are accessible to all users.\n\nIn particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default.\n\n### Patches\nPatched in jupyterhub-systemdspawner v0.15\n\n### Workarounds\nNo workaround other than upgrading systemdspawner to 0.15\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open a thread in [the Jupyter forum](https://discourse.jupyter.org)\n* Email us at [security@ipython.org](mailto:security@ipython.org)","aliases":["CVE-2020-26261","PYSEC-2020-52"],"modified":"2026-05-07T05:01:55.700194009Z","published":"2020-12-09T16:27:43Z","database_specific":{"github_reviewed":true,"cwe_ids":["CWE-668"],"severity":"HIGH","github_reviewed_at":"2020-12-09T16:25:35Z","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26261"},{"type":"WEB","url":"https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580"},{"type":"PACKAGE","url":"https://github.com/jupyterhub/systemdspawner"},{"type":"WEB","url":"https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub-systemdspawner/PYSEC-2020-52.yaml"},{"type":"WEB","url":"https://pypi.org/project/jupyterhub-systemdspawner"}],"affected":[{"package":{"name":"jupyterhub-systemdspawner","ecosystem":"PyPI","purl":"pkg:pypi/jupyterhub-systemdspawner"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.15.0"}]}],"versions":["0.10","0.11","0.12","0.13","0.14","0.9","0.9.1","0.9.10","0.9.11","0.9.12","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-cg54-gpgr-4rm6/GHSA-cg54-gpgr-4rm6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U"}]}