CVE-2026-21883

5.4 MEDIUM
Published: January 08, 2026 Modified: March 09, 2026
View on NVD

Description

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e
Source: security-advisories@github.com
Patch
https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v
Source: security-advisories@github.com
Vendor Advisory Exploit
https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883/
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Mitigation Third Party Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-1385

Affected Vendors

bokeh

Related CVEs

CVE-2026-4680 8.8
CVE-2026-4679 N/A
CVE-2026-4678 N/A
CVE-2026-4677 N/A
CVE-2026-4676 N/A