#1126730 dask.distributed: CVE-2026-23528

Package:
src:dask.distributed
Source:
src:dask.distributed
Submitter:
Salvatore Bonaccorso
Date:
2026-01-31 21:19:03 UTC
Severity:
normal
Tags:
#1126730#5
Date:
2026-01-31 21:17:55 UTC
From:
To:
Hi,

The following vulnerability was published for dask.distributed.

CVE-2026-23528[0]:
| Dask distributed is a distributed task scheduler for Dask. Prior to
| 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask
| distributed are all run together, it is possible to craft a URL
| which will result in code being executed by Jupyter due to a cross-
| side-scripting (XSS) bug in the Dask dashboard. It is possible for
| attackers to craft a phishing URL that assumes Jupyter Lab and Dask
| may be running on localhost and using default ports. If a user
| clicks on the malicious link it will open an error page in the Dask
| Dashboard via the Jupyter Lab proxy which will cause code to be
| executed by the default Jupyter Python kernel. This vulnerability is
| fixed in 2026.1.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-23528
https://www.cve.org/CVERecord?id=CVE-2026-23528
[1] https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2
[2] https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore