cbcvebase.
CVE-2026-35397
published 2026-05-05

CVE-2026-35397: Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.58%
43.5th percentile
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.

Affected

19 ranges
VendorProductVersion rangeFixed in
debianjupyter-server>= 0 < 2.18.02.18.0
jupyter-serverjupyter_server< 2.18.02.18.0
jupyterjupyter_server< 2.18.02.18.0
mtamta-solution-server-rhel9
rhoaiodh-th06-cpu-torch210-py312-rhel9
rhoaiodh-th06-cpu-torch291-py312-rhel9
rhoaiodh-th06-cuda130-torch210-py312-rhel9
rhoaiodh-th06-cuda130-torch291-py312-rhel9
rhoaiodh-th06-rocm64-torch291-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-minimal-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-minimal-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-minimal-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-trustyai-cpu-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

url/api/contents
  • Monitor REST API requests to the /api/contents endpoint for encoded path components (e.g., percent-encoded characters) that attempt to traverse outside the configured root_dir into sibling directories sharing a common prefix.
  • In multi-tenant Jupyter deployments (e.g., Red Hat OpenShift AI), alert on authenticated users accessing paths outside their assigned root_dir, particularly where directory names follow predictable numeric suffixes (e.g., user1 accessing user10–user19).
  • Flag Jupyter Server instances running version 2.17.0 or earlier as vulnerable; version 2.18.0 contains the fix.
  • ·The vulnerability is exploitable only when sibling directories share a common prefix with the configured root_dir. Deployments where directory names do not share any common prefix are not exploitable via this vector.
  • ·Risk is significantly elevated in multi-tenant environments (e.g., Red Hat OpenShift AI) where predictable or sequential naming conventions are used for user directories.
  • ·A user who controls a single-character folder name can potentially access a very large number of sibling directories, dramatically expanding the attack surface.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.6HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.