CVE-2026-23528

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa	Patch
https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anaconda:dask:*:*:*:*:*:python:*:*

History

17 Jun 2026, 10:21

Type	Values Removed	Values Added
Summary		(es) Dask distributed es un planificador de tareas distribuido para Dask. Antes de 2026.1.0, cuando Jupyter Lab, jupyter-server-proxy y Dask distributed se ejecutan todos juntos, es posible crear una URL que resultará en la ejecución de código por parte de Jupyter debido a un error de cross-site-scripting (XSS) en el panel de control de Dask. Es posible para los atacantes crear una URL de phishing que asume que Jupyter Lab y Dask pueden estar ejecutándose en localhost y usando puertos predeterminados. Si un usuario hace clic en el enlace malicioso, se abrirá una página de error en el panel de control de Dask a través del proxy de Jupyter Lab, lo que hará que se ejecute código por el kernel de Python predeterminado de Jupyter. Esta vulnerabilidad está corregida en 2026.1.0.

12 Mar 2026, 18:29

Type	Values Removed	Values Added
First Time		Anaconda dask Anaconda
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
References	~~() https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa -~~	() https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa - Patch
References	~~() https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 -~~	() https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 - Vendor Advisory
CPE		cpe:2.3:a:anaconda:dask::::::python::*

16 Jan 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-16 17:15

Updated : 2026-06-17 10:21

NVD link : CVE-2026-23528

Mitre link : CVE-2026-23528

CVE.ORG link : CVE-2026-23528

JSON object : View

Products Affected

anaconda

dask

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-250

Execution with Unnecessary Privileges

6.1 /10