Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).
CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Summary
Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.
PoC
Minimal:
.
├── test/ <- root directory.
│ └── test.txt
└── testtest/
└── secret.txt <- file to exfiltrate that we should not be able to access via APIHOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"
curl -s -X POST \
"$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
-H "Authorization: token $TOKEN"Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006
Impact
It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.
This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.
In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.
Workarounds
Use folder names that do not overlap.
Acknowledgments
Thank you to @stef41 for providing a useful PoC.
AnalysisAI
Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.
Technical ContextAI
Jupyter Server is a backend web service for Jupyter interactive computing environments, providing RESTful APIs for file management within a configured root_dir. The vulnerability stems from improper path traversal prevention (CWE-22) in the file access validation logic. The server uses Python's string startswith() method to verify paths are within root_dir boundaries, but fails to account for sibling directories sharing the same prefix. For example, if root_dir is '/notebooks/user1/', the check incorrectly permits access to '/notebooks/user10/' because 'user10' starts with 'user1'. The exploit uses URL-encoded parent directory traversal (%2e%2e for '..') via the /api/contents/ endpoint to bypass intended containment. This affects the pip package jupyter-server (pkg:pip/jupyter-server) version 2.17.0 and earlier.
RemediationAI
Upgrade to Jupyter Server version 2.18.0 or later using pip install --upgrade jupyter-server>=2.18.0, as confirmed by vendor advisory GHSA-5789-5fc7-67v3. For systems unable to immediately patch, implement directory naming schemes that eliminate prefix collisions: use UUIDs, random strings, or sufficiently distinct prefixes (e.g., 'workspace_user1' vs 'workspace_user10' instead of 'user1' vs 'user10'). Trade-off: renaming existing directories requires data migration and may break hardcoded paths in notebooks or automation. Additional compensating control: implement filesystem-level permissions ensuring each user's system account can only access their designated root_dir, providing defense-in-depth even if application-level path validation fails (trade-off: increased administrative overhead and potential interference with legitimate cross-user collaboration features). Advisory and patch details: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27470
GHSA-5789-5fc7-67v3