Skip to main content

Red Hat CVE-2026-39377

| EUVDEUVD-2026-24023 MEDIUM
Path Traversal (CWE-22)
2026-04-21 GitHub_M GHSA-4c99-qj7h-p3vg
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 17:51 nvd
Patch available
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:22 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24023
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:14 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 15 pypi packages depend on nbconvert (14 direct, 1 indirect)

Ecosystem-wide dependent count for version 6.5.0.

DescriptionGitHub Advisory

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.

AnalysisAI

Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.

Technical ContextAI

Jupyter nbconvert is a document conversion utility that transforms Jupyter Notebook files (ipynb format) into other formats using Jinja2 templating. The ExtractAttachmentsPreprocessor component handles embedded cell attachments (binary data encoded within notebook JSON) by extracting them to the filesystem during conversion. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, aka 'Path Traversal') in how attachment filenames are passed directly to file I/O operations without path canonicalization or basename filtering. An attacker can craft filenames containing path traversal sequences (e.g., '../../../malicious.py') to write files anywhere the nbconvert process has permissions, allowing code injection into system directories, configuration paths, or application directories.

RemediationAI

Upgrade to Jupyter nbconvert version 7.17.1 or later immediately. For organizations unable to upgrade immediately, restrict notebook processing to trusted sources only and disable the ExtractAttachmentsPreprocessor if attachment functionality is not required (via nbconvert configuration: set ExtractAttachmentsPreprocessor to disabled in jupyter_nbconvert_config.py or use --to=<format> --no-prompt flag without attachment processing). Additionally, run nbconvert with minimal filesystem permissions (dedicated user account with restricted directory access) to limit the scope of file writes. Users should avoid opening or converting untrusted notebook files until patched. The official advisory is available at https://github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg and patched release at https://github.com/jupyter/nbconvert/releases/tag/v7.17.1.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-39377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy