Skip to main content

Jupyter Server CVE-2026-35397

| EUVDEUVD-2026-27470 HIGH
Path Traversal (CWE-22)
2026-05-05 https://github.com/jupyter-server/jupyter_server GHSA-5789-5fc7-67v3
7.6
CVSS 4.0 · Vendor: https://github.com/jupyter-server/jupyter_server
Share

Severity by source

Vendor (https://github.com/jupyter-server/jupyter_server) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).

CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 05, 2026 - 21:02 EUVD
Re-analysis Queued
May 05, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 20:22 NVD
7.1 (HIGH) 7.6 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 17:30 vuln.today
Analysis Generated
May 05, 2026 - 17:30 vuln.today

DescriptionCVE.org

Summary

Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.

PoC

Minimal:

.
├── test/              <- root directory.
│   └── test.txt
└── testtest/
    └── secret.txt     <- file to exfiltrate that we should not be able to access via API
bash
HOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"

curl -s -X POST \
  "$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
  -H "Authorization: token $TOKEN"

Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006

Impact

It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.

This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.

In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.

Workarounds

Use folder names that do not overlap.

Acknowledgments

Thank you to @stef41 for providing a useful PoC.

AnalysisAI

Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.

Technical ContextAI

Jupyter Server is a backend web service for Jupyter interactive computing environments, providing RESTful APIs for file management within a configured root_dir. The vulnerability stems from improper path traversal prevention (CWE-22) in the file access validation logic. The server uses Python's string startswith() method to verify paths are within root_dir boundaries, but fails to account for sibling directories sharing the same prefix. For example, if root_dir is '/notebooks/user1/', the check incorrectly permits access to '/notebooks/user10/' because 'user10' starts with 'user1'. The exploit uses URL-encoded parent directory traversal (%2e%2e for '..') via the /api/contents/ endpoint to bypass intended containment. This affects the pip package jupyter-server (pkg:pip/jupyter-server) version 2.17.0 and earlier.

RemediationAI

Upgrade to Jupyter Server version 2.18.0 or later using pip install --upgrade jupyter-server>=2.18.0, as confirmed by vendor advisory GHSA-5789-5fc7-67v3. For systems unable to immediately patch, implement directory naming schemes that eliminate prefix collisions: use UUIDs, random strings, or sufficiently distinct prefixes (e.g., 'workspace_user1' vs 'workspace_user10' instead of 'user1' vs 'user10'). Trade-off: renaming existing directories requires data migration and may break hardcoded paths in notebooks or automation. Additional compensating control: implement filesystem-level permissions ensuring each user's system account can only access their designated root_dir, providing defense-in-depth even if application-level path validation fails (trade-off: increased administrative overhead and potential interference with legitimate cross-user collaboration features). Advisory and patch details: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-35397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy