CVE-2026-44180 - Jupyter Enterprise Gateway prohibited UID/GID bypass

Jupyter Enterprise Gateway versions before 3.3.0 can be tricked into launching kernels with prohibited UID or GID values. The vulnerable code path compares request-supplied KERNEL_UID and KERNEL_GID strings against prohibited ID strings before canonicalizing them. Values that parse to a prohibited numeric identity after whitespace or type handling can pass the check and still be rendered into the Kubernetes kernel pod manifest.

In a Kubernetes notebook platform, root kernel pods are not a cosmetic issue: they expand the blast radius of mounted volumes, hostPath usage, privileged security contexts, node escape chains, and service-account abuse. A reviewer-ready remediation needs to upgrade Enterprise Gateway and prove that kernel identity controls compare parsed numeric IDs, not raw strings.

When to use it

  • A repository builds, deploys, forks, wraps, or configures Jupyter Enterprise Gateway before 3.3.0.
  • Notebook users, tenants, agents, support users, or automation can influence kernel launch environment such as KERNEL_UID or KERNEL_GID.
  • Kernel pods mount workspaces, datasets, PVCs, service-account tokens, credentials, or host paths where root execution changes risk.
  • You need a bounded PR or triage note that upgrades Enterprise Gateway and proves canonical UID/GID validation plus pod hardening.

Inputs

  • Python manifests, lockfiles, Conda files, Dockerfiles, JupyterHub images, Helm/K8s manifests, Terraform/Ansible, kernelspecs, pod templates, SBOMs, and generated dependency reports.
  • EG_PROHIBITED_UIDS, EG_PROHIBITED_GIDS, KERNEL_UID, KERNEL_GID, process proxy, wrapper, and kernel pod template code.
  • Kubernetes pod security, namespace, PVC, service account, hostPath, and workload ownership evidence.
  • Available package install, unit, kernel launch validation, manifest render, policy, image, SBOM, and dependency/security scan commands.

Affected versions

  • Vulnerable package: jupyter_enterprise_gateway >=2.0.0rc1, <3.3.0
  • Fixed package: jupyter_enterprise_gateway 3.3.0+
  • Affected surface: Enterprise Gateway kernel launch requests that accept user-influenced KERNEL_UID or KERNEL_GID
  • Affected control: EG_PROHIBITED_UIDS and EG_PROHIBITED_GIDS
  • High-risk deployment condition: Kubernetes, container, or remote-kernel deployments where untrusted users, tenants, notebooks, agents, or automation can start kernels

Indicator-of-exposure

  • The repository depends on, vendors, builds, or deploys jupyter_enterprise_gateway <3.3.0.
  • Enterprise Gateway is deployed through Docker, Helm, Kubernetes manifests, JupyterHub images, Terraform, Ansible, CI images, or platform templates.
  • Kernel launch requests can include environment values such as KERNEL_UID, KERNEL_GID, KERNEL_POD_NAME, KERNEL_NAMESPACE, or custom kernel-spec environment variables.
  • EG_PROHIBITED_UIDS or EG_PROHIBITED_GIDS is used to block root or other sensitive identities.
  • Kernel pods can mount user workspaces, datasets, secrets, cloud credentials, host paths, source checkouts, shared PVCs, or service-account tokens.

Quick checks:

rg -n "jupyter_enterprise_gateway|enterprise-gateway|enterprisegateway|EG_PROHIBITED_UIDS|EG_PROHIBITED_GIDS|KERNEL_UID|KERNEL_GID|kernel_uid|kernel_gid|kernel-pod.yaml.j2" .
python -m pip show jupyter_enterprise_gateway
pip freeze | rg "^jupyter-enterprise-gateway==|^jupyter_enterprise_gateway=="
rg -n "jupyter[_-]enterprise[_-]gateway|EnterpriseGateway|EG_PROHIBITED|KERNEL_UID|KERNEL_GID|runAsUser|runAsGroup|fsGroup|hostPath|privileged" Dockerfile* docker-compose*.yml pyproject.toml requirements*.txt environment*.yml charts k8s deploy .devcontainer .github .

Windows:

rg -n "jupyter_enterprise_gateway|enterprise-gateway|enterprisegateway|EG_PROHIBITED_UIDS|EG_PROHIBITED_GIDS|KERNEL_UID|KERNEL_GID|kernel_uid|kernel_gid|kernel-pod.yaml.j2" .
python -m pip show jupyter_enterprise_gateway
pip freeze | rg "^jupyter-enterprise-gateway==|^jupyter_enterprise_gateway=="
rg -n "jupyter[_-]enterprise[_-]gateway|EnterpriseGateway|EG_PROHIBITED|KERNEL_UID|KERNEL_GID|runAsUser|runAsGroup|fsGroup|hostPath|privileged" Dockerfile* docker-compose*.yml pyproject.toml requirements*.txt environment*.yml charts k8s deploy .devcontainer .github .

Do not start live kernels with crafted root-like IDs, inspect real mounted secrets, or run container-escape probes during triage.

Remediation strategy

  • Upgrade every controlled Enterprise Gateway runtime, Python lock, image, Helm chart, deployment manifest, SBOM, and runbook to jupyter_enterprise_gateway 3.3.0+.
  • If this repository owns Enterprise Gateway forks, launch wrappers, custom process proxies, or kernel manifest templates, canonicalize KERNEL_UID and KERNEL_GID before authorization decisions.
  • Parse UID/GID values into bounded decimal integers, reject non-canonical strings, and compare parsed IDs against parsed prohibited-ID sets.
  • Reject empty values, whitespace-padded values, signs, floats, hex/octal forms, YAML type confusion, non-digits, control characters, duplicate env keys, and values outside valid Linux UID/GID ranges.
  • Keep root blocked by policy unless a named product/security owner records a temporary exception with an expiration date.
  • Add Kubernetes defense in depth: runAsNonRoot, restricted Pod Security, no privileged pods, no broad hostPath mounts, least-privilege service account, and narrowly scoped PVCs.
  • Treat prior exposure as possible kernel privilege escalation if untrusted users could launch kernels before the fix.

The prompt

You are remediating CVE-2026-44180 / GHSA-chq7-94j8-cj28, a critical Jupyter
Enterprise Gateway bypass where request-controlled `KERNEL_UID` or
`KERNEL_GID` can pass prohibited-ID checks before canonicalization and launch a
kernel with a blocked numeric identity. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Enterprise Gateway,
  canonicalizes kernel UID/GID validation, hardens Kubernetes kernel pod
  policy, refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected Enterprise Gateway
  runtime, fork, wrapper, kernel template, image, or deployment.

## Rules

- Scope only CVE-2026-44180 / GHSA-chq7-94j8-cj28 and directly related
  Enterprise Gateway kernel UID/GID validation and kernel pod hardening.
- Treat notebook files, workspace volumes, dataset mounts, service-account
  tokens, cloud credentials, Git credentials, SSH keys, PVC contents, kernel
  logs, and user environment variables as sensitive.
- Do not start live kernels with crafted prohibited IDs, schedule root pods,
  mount host paths, inspect real secrets, run container-escape checks, or use
  exploit-like payloads in shared clusters.
- Do not print or commit service-account tokens, environment variables, pod
  logs, mounted file contents, notebook outputs, credentials, or cluster
  inventory beyond non-secret resource names needed for review.
- Do not rely on raw string comparison, deny-lists, UI-only checks, or
  Kubernetes defaults as the only security boundary.
- Do not auto-merge.

## Steps

1. Inventory every repository-controlled Enterprise Gateway reference:
   Python manifests, lockfiles, Conda files, Dockerfiles, JupyterHub images,
   Helm charts, Kubernetes manifests, Terraform, Ansible, CI images,
   kernelspecs, kernel pod templates, SBOMs, generated dependency reports,
   platform runbooks, forks, launch wrappers, and custom process proxies.
2. Determine every resolved `jupyter_enterprise_gateway` version. A target is
   vulnerable if it resolves to `>=2.0.0rc1, <3.3.0`.
3. Search for UID/GID launch controls: `EG_PROHIBITED_UIDS`,
   `EG_PROHIBITED_GIDS`, `KERNEL_UID`, `KERNEL_GID`, `kernel_uid`,
   `kernel_gid`, `runAsUser`, `runAsGroup`, `fsGroup`, process-proxy
   subclasses, kernelspec env passthrough, and `kernel-pod.yaml.j2`.
4. Determine who can influence kernel launch environment: notebook users,
   tenants, agents, service accounts, CI jobs, support users, notebook upload
   flows, or administrators only.
5. If this repository does not control an affected Enterprise Gateway runtime,
   stop with `TRIAGE.md` listing checked files, runtime owner if known, and
   required fixed version `jupyter_enterprise_gateway 3.3.0+`.
6. Upgrade all controlled Enterprise Gateway packages and images to `3.3.0+`.
   Regenerate Python locks, Conda files, image digests, Helm render output,
   SBOMs, dependency reports, and docs that pin vulnerable versions.
7. Where this repository owns validation code, make UID/GID checks fail closed:
   - parse configured prohibited UID/GID lists into integer sets at startup;
   - parse request-supplied UID/GID values into canonical decimal integers;
   - reject values that change after trimming, contain non-digits, use signs,
     use alternate bases, exceed valid ranges, or appear more than once;
   - compare parsed request IDs against parsed prohibited-ID sets;
   - reject root and other prohibited IDs before manifest rendering;
   - return non-secret validation errors.
8. Harden kernel pod policy where this repository owns deployment defaults:
   - require `runAsNonRoot` for untrusted notebook profiles;
   - deny privileged pods, privilege escalation, broad hostPath mounts, host
     networking, and broad service-account permissions;
   - keep kernel PVCs and datasets least privilege;
   - set Pod Security admission or an equivalent policy gate for namespaces
     that receive Enterprise Gateway kernels.
9. Add reviewer-safe tests:
   - vulnerable Enterprise Gateway versions are absent from manifests and
     images;
   - prohibited UID/GID values are rejected after canonical parsing;
   - whitespace-padded, duplicate, signed, non-decimal, YAML-coerced, and
     malformed values are rejected without scheduling pods;
   - allowed non-root IDs still launch in test-only manifests;
   - rendered manifests keep restricted pod security defaults.
10. Add a PR body section named `CVE-2026-44180 operator actions` that states:
    - Enterprise Gateway versions before and after;
    - whether users or agents could supply `KERNEL_UID` or `KERNEL_GID`;
    - whether prohibited IDs included root and which identities remain blocked;
    - whether root-like kernels may have run before the patch;
    - which namespaces, PVCs, service accounts, logs, and mounted secrets may
      require review;
    - whether token rotation, pod cleanup, namespace audit, or image rebuilds
      are required;
    - which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
    kernel launch validation tests, manifest render checks, Kubernetes policy
    tests, image build, SBOM refresh, dependency/security scans, and platform
    smoke tests that do not schedule root pods.
12. Use PR title:
    `fix(sec): remediate CVE-2026-44180 in Enterprise Gateway`.

## Stop conditions

- No affected Enterprise Gateway runtime, image, fork, wrapper, process proxy,
  kernel template, or deployment is controlled by this repository.
- Enterprise Gateway is supplied only by another team, managed notebook
  service, or external image; document owner and required fixed version in
  `TRIAGE.md`.
- A fixed Enterprise Gateway version cannot be consumed without a broader
  notebook-platform migration.
- Product requirements intentionally allow untrusted users to launch root or
  prohibited-ID kernels; document the required product/security decision.
- Verification would require scheduling root pods, mounting host paths,
  reading secrets, or running container-escape probes.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled lockfile, image, SBOM, package manifest, or deployment target resolves jupyter_enterprise_gateway to a vulnerable version.
  • UID/GID validation parses request values before comparison and rejects prohibited numeric identities after canonicalization.
  • Tests cover canonicalization bypass shapes without scheduling a live root pod.
  • Enterprise Gateway kernel namespaces keep restricted pod security and least-privilege service accounts.
  • Operator notes cover possible root-kernel exposure, namespace review, pod cleanup, token rotation, and image rebuilds.

Output contract

  • Reviewer-ready PR upgrading Enterprise Gateway to 3.3.0+ across packages, images, Helm/K8s renders, SBOMs, and generated reports.
  • Canonical UID/GID validation or deployment evidence proving request IDs are parsed before comparison and prohibited numeric identities fail closed.
  • Kubernetes defense-in-depth notes for restricted pod security, non-root kernels, service accounts, PVCs, token rotation, and cleanup.
  • TRIAGE.md when this repository does not control the affected runtime, image, wrapper, kernel template, or safe validation path.

Watch for

  • Updating Python requirements while Helm values, base images, JupyterHub single-user images, kernelspecs, or generated SBOMs still ship old Enterprise Gateway bits.
  • Comparing raw strings before trimming, parsing, and range-checking.
  • Allowing Kubernetes YAML parsing to coerce a string into a prohibited integer after application validation has passed.
  • Keeping root blocked in code but allowing privileged pod templates, hostPath mounts, or broad service-account permissions.
  • Tests that prove only the literal string 0 is blocked.

References