CVE-2026-21883 MEDIUM

CVE-2026-21883: Bokeh server applications have Incomplete Origin Validation in WebSockets

Vendor Bokeh
Product bokeh
Weakness CWE-1385
Published January 8, 2026
Last update January 23, 2026

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 23, 2026 Record updated