CVE-2026-44180: Jupyter Enterprise Gateway ContainerProcessProxy._enforce_prohibited_ids Bypass
CVE-2026-44180 is a critical (CVSS 9.8) input validation bypass in Jupyter Enterprise Gateway versions >= 2.0.0rc1 and < 3.3.0. The ContainerProcessProxy._enforce_prohibited_ids method fails to properly validate or enforce restrictions on kernel IDs, allowing an attacker to bypass container process isolation controls. This can enable unauthorized kernel spawning, container escape, or execution of arbitrary workloads within the enterprise gateway environment. A public proof-of-concept exists.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- pip
- Product
- jupyter_enterprise_gateway
- Versions
- >= 2.0.0rc1, < 3.3.0
Timeline
- Disclosed
- June 3, 2026
What is CVE-2026-44180 CVE-2026-44180: Jupyter Enterprise Gateway ContainerProcessProxy._enforce_prohibited_ids Bypass?
CVE-2026-44180: Jupyter Enterprise Gateway ContainerProcessProxy._enforce_prohibited_ids Bypass (CVE-2026-44180) maps to the Initial Access and Privilege Escalation and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-44180: Jupyter Enterprise Gateway ContainerProcessProxy._enforce_prohibited_ids Bypass, covering the data sources and telemetry it touches: DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousKernelOps = DeviceProcessEvents
| where FileName in~ ("jupyter", "jupyter-enterprise-gateway", "python3", "python")
| where ProcessCommandLine has_any ("enterprise_gateway", "EnterpriseGateway", "ContainerProcessProxy")
| project TimeGenerated, DeviceId, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FileName;
let NetworkActivity = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("jupyter", "python3", "python")
| where RemotePort in (8888, 8889, 9001, 9002)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, InitiatingProcessCommandLine;
SuspiciousKernelOps
| join kind=leftouter NetworkActivity on DeviceId, DeviceName
| where ProcessCommandLine has_any ("kernel_id", "--kernel-id", "enforce_prohibited", "prohibited_ids")
or ProcessCommandLine matches regex @"[?&]kernel[_-]id=[a-zA-Z0-9_\-]{8,}"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, RemoteIP, RemotePortDetects suspicious Jupyter Enterprise Gateway process activity indicative of CVE-2026-44180 exploitation, including unusual kernel ID parameters and network connections from gateway processes.
Data Sources
Required Tables
False Positives
- Legitimate data science workflows spawning many kernels with custom IDs in dev environments
- Automated CI/CD pipelines running notebook tests via enterprise gateway
- Monitoring or health-check tooling that queries gateway endpoints on expected ports
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-44180: Jupyter Enterprise Gateway ContainerProcessProxy._enforce_prohibited_ids Bypass (CVE-2026-44180) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-44180
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Spawn unauthorized kernel via ID bypass on vulnerable gateway
Expected signal: Process creation events for python3 spawned as child of jupyter-enterprise-gateway with command line containing the test kernel_id value; HTTP access log entries showing POST /api/kernels with status 201 for requests that should have been rejected
- Test 2Enumerate gateway kernel API for ID restriction bypass
Expected signal: Multiple sequential HTTP POST requests to /api/kernels gateway endpoint within a short timeframe with varying kernel_id values including path traversal and command injection patterns
- Test 3Simulate container escape via unrestricted kernel process spawning
Expected signal: Container process creation events showing python3 kernel process; if escape is successful, process events outside container namespace; file access events for /proc/1/cgroup or /etc/hosts from kernel process
Unlock Pro Content
Get the full detection package for CVE-2026-44180 including response playbook, investigation guide, and atomic red team tests.