5.4
CVE-2026-21883
- EPSS 0.16%
- Veröffentlicht 08.01.2026 01:20:53
- Zuletzt bearbeitet 09.03.2026 14:00:25
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBokeh server applications have Incomplete Origin Validation in WebSockets
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.054 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
| security-advisories@github.com | 4.5 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-1385 Missing Origin Validation in WebSockets
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v
https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e
https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883/