First Use Authenticator

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorJupyterhub (b9fc67de-411f-5996-aa79-a32cff5a7e29)
ProductFirst Use Authenticator (fa1c3c41-15fc-5eb8-8c10-9f6c37e2543e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/jupyterhub/firstuseauthenticator purl2cpe 2026-06-01 10:18:07.319883
pkg:pypi/jupyterhub-firstuseauthenticator purl2cpe 2026-06-01 10:18:07.319885

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2021-41194 vulnerable 2026-06-08 05:35:19.990105 Improper Access Control in jupyterhub-firstuseauthenticator
CRITICAL (9.1)
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
Published: 2021-10-28T19:40:12.000Z
Updated: 2024-08-04T03:08:31.328Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.