SCA: security update for bokeh (GHSA-793v-589g-574v)

high Tenable Cloud Security Plugin ID 436592

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server
is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like
dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The
malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin
header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic,
the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of
the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in
version 3.8.2. (CVE-2026-21883)

See Also

https://github.com/advisories/GHSA-793v-589g-574v

Plugin Details

Severity: High

ID: 436592

Version: Revision 1.84

Type: Local

Family: SCA Checks

Published: 1/6/2026

Updated: 7/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-21883

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.4

Threat Score: 4.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/6/2026

Vulnerability Publication Date: 1/6/2026

Reference Information

CVE: CVE-2026-21883