CVE-2026-21883
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
EPSS 0.01% · 1.9th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | bokeh | 0 |
| bokeh | bokeh | < 3.8.2, 0 |
Timeline
- Jan 6, 2026 CVE Published
- Jan 8, 2026 EPSS Score
- Jan 8, 2026 PoC Published
- Jan 11, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
- Jan 21, 2026 EPSS Score
- Jan 23, 2026 CVE Updated
- Jan 24, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 27, 2026 EPSS Score
- Jan 30, 2026 EPSS Score
References
- https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v url
- https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e url
- https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883/ url
- https://nvd.nist.gov/vuln/detail/CVE-2026-21883 advisory
- https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883 url
- https://github.com/bokeh/bokeh package