CVE-2026-35397
published 2026-05-05CVE-2026-35397: Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.58%
43.5th percentile
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories.
Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jupyter-server | >= 0 < 2.18.0 | 2.18.0 |
| jupyter-server | jupyter_server | < 2.18.0 | 2.18.0 |
| jupyter | jupyter_server | < 2.18.0 | 2.18.0 |
| mta | mta-solution-server-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cpu-torch291-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch210-py312-rhel9 | — | — |
| rhoai | odh-th06-cuda130-torch291-py312-rhel9 | — | — |
| rhoai | odh-th06-rocm64-torch291-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-minimal-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-trustyai-cpu-py312-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor REST API requests to the /api/contents endpoint for encoded path components (e.g., percent-encoded characters) that attempt to traverse outside the configured root_dir into sibling directories sharing a common prefix. ↗
- →In multi-tenant Jupyter deployments (e.g., Red Hat OpenShift AI), alert on authenticated users accessing paths outside their assigned root_dir, particularly where directory names follow predictable numeric suffixes (e.g., user1 accessing user10–user19). ↗
- →Flag Jupyter Server instances running version 2.17.0 or earlier as vulnerable; version 2.18.0 contains the fix. ↗
- ·The vulnerability is exploitable only when sibling directories share a common prefix with the configured root_dir. Deployments where directory names do not share any common prefix are not exploitable via this vector. ↗
- ·Risk is significantly elevated in multi-tenant environments (e.g., Red Hat OpenShift AI) where predictable or sequential naming conventions are used for user directories. ↗
- ·A user who controls a single-character folder name can potentially access a very large number of sibling directories, dramatically expanding the attack surface. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
vendor_redhat·2026-05-05·CVSS 8.8
CVE-2026-35397 [HIGH] CWE-22 jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directorie
GHSA
Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories
ghsa·2026-05-05
CVE-2026-35397 [HIGH] CWE-22 Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories
Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories
### Summary
Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.
### PoC
Minimal:
```
.
├── test/ <- root directory.
│ └── test.txt
└── testtest/
└── secret.txt <- file to exfiltrate that we should not be able to access via API
```
```bash
HOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"
curl -s -X POST \
"$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
-H "Authorization: token $TOKEN"
```
Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006
### Impact
It is possible for an authenticated user to access content outside the server's `ro
VulDB
jupyter-server jupyter_server up to 2.17.x REST API /api/contents path traversal
vuldb·2026-05-05·CVSS 7.6
CVE-2026-35397 [HIGH] jupyter-server jupyter_server up to 2.17.x REST API /api/contents path traversal
A vulnerability marked as critical has been reported in jupyter-server jupyter_server up to 2.17.x. Affected is an unknown function of the file /api/contents of the component REST API. Performing a manipulation results in path traversal.
This vulnerability is cataloged as CVE-2026-35397. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [epel-all]
bugzilla·2026-06-04·CVSS 7.6
CVE-2026-35397 [HIGH] CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [epel-all]
CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [fedora-all]
bugzilla·2026-06-04·CVSS 7.6
CVE-2026-35397 [HIGH] CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [fedora-all]
CVE-2026-35397 python-jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-35397 jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
bugzilla·2026-05-05·CVSS 8.8
CVE-2026-35397 [HIGH] CVE-2026-35397 jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
CVE-2026-35397 jupyter-server: Jupyter Server: Unauthorized File Access via Path Traversal Vulnerability
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could ac
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3https://access.redhat.com/security/cve/CVE-2026-35397https://bugzilla.redhat.com/show_bug.cgi?id=2466858https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35397.json
2026-05-05
Published