CVE-2026-39377 — Path Traversal in Nbconvert

CWE-22 — Path Traversal CWE-73 — External Control of File Name or Path4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 86.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyter Nbconvert MTA Mta-solution-server-rhel9 Rhoai Odh-pipeline-runtime-datascience-cpu-py312-rhel9 +17 more

Timeline

PublishedApr 21

Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the des…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages21 packages

▶PyPIjupyter/nbconvert6.5.0 — 7.17.1

▶CVEListV5jupyter/nbconvert>= 6.5, < 7.17.1

▶Red Hatrhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9

▶Red Hatrhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9

▶Red Hatrhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9

🔴Vulnerability Details

GHSA

nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames↗2026-04-21

▶

📋Vendor Advisories

Red Hat

nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames↗2026-04-21

▶

💬Community

Bugzilla

CVE-2026-39377 nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames↗2026-04-21

▶