CVE-2026-21883
7.4
Unzipping the Origin: How a Python Iterator Flaw Broke Bokeh
Alon Barad
Software EngineerJan 7, 2026·5 min read·9 visits
PoC Available
Executive Summary (TL;DR)
Bokeh versions < 3.8.2 used Python's `zip()` function to validate WebSocket origins. Because `zip()` stops at the shortest list, an attacker controlling `target.com.evil.com` could bypass the allowlist for `target.com`. This allows attackers to hijack interactive visualization sessions.
A logic error in the Bokeh visualization library allows attackers to bypass WebSocket origin validation. By exploiting the behavior of Python's `zip()` function, malicious sites can masquerade as trusted origins, leading to Cross-Site WebSocket Hijacking (CSWSH).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.4/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NAffected Systems
Bokeh Server
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Bokeh Bokeh | < 3.8.2 | 3.8.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-1385 (Missing Origin Validation in WebSockets) |
| Attack Vector | Network (AV:N) |
| CVSS | 7.4 (High) |
| Impact | Session Hijacking / Data Exfiltration |
| Root Cause | Logic Error (Iterating over partial match) |
| Patch Status | Available (v3.8.2) |
MITRE ATT&CK Mapping
CWE-1385
Missing Origin Validation in WebSockets
Known Exploits & Detection
Vulnerability Timeline
Patch committed to Bokeh repository
2026-01-05
GHSA-793v-589g-574v published
2026-01-06
CVE-2026-21883 assigned
2026-01-06