Bokeh Server Security Flaw: CVE-2026-21883 Exposes Deployed Instances to WebSocket Hijacking

A critical security vulnerability, CVE-2026-21883, has been disclosed in the Bokeh data visualization library, exposing deployed server instances to Cross-Site WebSocket Hijacking (CSWSH). The flaw, which prompted an automated dependency update from version 2.4.3 to 3.8.2, allows attackers to hijack WebSocket connections on vulnerable Bokeh servers. This is not a theoretical risk; the advisory was serious enough to trigger an automated security patch via a GitHub pull request, which was subsequently autoclosed after the update was merged.

The vulnerability is specific to actively deployed Bokeh server instances. It does not affect static HTML exports, standalone embedded plots, or usage within Jupyter notebooks. The core of the issue lies in the server's WebSocket handshake, which can be exploited to bypass intended security boundaries. The automated remediation highlights the severity, as the Renovate bot flagged the update with high confidence, indicating a clear and necessary path to mitigation by upgrading to the patched version 3.8.2.

This incident underscores the persistent risk in the software supply chain, where a single dependency in a popular library like Bokeh can introduce a direct attack vector. Organizations and developers using Bokeh for live, interactive web applications must verify they are running the patched version. The narrow scope—limited to deployed servers—means the blast radius is contained but precise, targeting a specific class of data visualization applications that rely on real-time, bidirectional communication. Failure to patch leaves these endpoints open to unauthorized data interception and manipulation.