A vulnerability, which was classified as problematic , was found in jupyterhub up to 5.4.4 . Affected is an unknown function of the file /hub/spawn of the component JSON API . Such manipulation leads to cross-site request forgery. This vulnerability is documented as CVE-2026-40864 . The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.