CVE-2018-8768 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any ML/data science team running Jupyter Notebook below 5.4.1 is exposed to code execution if a team member opens a crafted notebook file — a realistic scenario given how freely .ipynb files are shared via GitHub, Slack, and email. Patch immediately to 5.4.1+; audit your notebook-sharing workflows for untrusted sources. The 2018 vintage and low EPSS (0.0012) suggest no active exploitation campaigns, but the attack surface in AI/ML environments is high.

Risk Assessment

Risk is moderate-to-high for organizations still running legacy Jupyter instances, which is not uncommon in air-gapped or on-premise ML environments where upgrades lag. The local attack vector (AV:L) requires user interaction — opening a malicious notebook — but AI/ML teams routinely share notebooks from external sources (Kaggle, GitHub, colleagues), making social engineering highly plausible. CVSS 7.8 reflects full C/I/A impact once exploited. Low EPSS indicates no current mass exploitation, but targeted attacks against ML teams are credible.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
notebook	pip	< 5.4.1	`5.4.1`
13.1K OpenSSF 4.8 2.9K dependents Pushed 9d ago 73% patched ~508d to patch Full package profile →

Do you use notebook? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Upgrade Jupyter Notebook to >= 5.4.1 immediately — pip install --upgrade notebook.
Audit all running Jupyter instances across ML infrastructure; prioritize JupyterHub deployments.
Enforce a policy: only open .ipynb files from trusted, version-controlled repositories.
For detection: scan .ipynb files (JSON format) for embedded HTML tags containing event handlers (onerror, onload, onmouseover) or script-adjacent patterns before sharing.
Consider nbstripout or similar tools in CI/CD to sanitize notebooks before merge.
Run Jupyter with minimum required OS privileges and network isolation.

Classification

Code Execution Supply Chain Data Extraction Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system life cycle — security testing A.6.2.3 - Security of AI system

NIST AI RMF

GOVERN 1.2 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms for treatment of identified AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2018-8768?

Any ML/data science team running Jupyter Notebook below 5.4.1 is exposed to code execution if a team member opens a crafted notebook file — a realistic scenario given how freely .ipynb files are shared via GitHub, Slack, and email. Patch immediately to 5.4.1+; audit your notebook-sharing workflows for untrusted sources. The 2018 vintage and low EPSS (0.0012) suggest no active exploitation campaigns, but the attack surface in AI/ML environments is high.

Is CVE-2018-8768 actively exploited?

No confirmed active exploitation of CVE-2018-8768 has been reported, but organizations should still patch proactively.

How to fix CVE-2018-8768?

1. Upgrade Jupyter Notebook to >= 5.4.1 immediately — pip install --upgrade notebook. 2. Audit all running Jupyter instances across ML infrastructure; prioritize JupyterHub deployments. 3. Enforce a policy: only open .ipynb files from trusted, version-controlled repositories. 4. For detection: scan .ipynb files (JSON format) for embedded HTML tags containing event handlers (onerror, onload, onmouseover) or script-adjacent patterns before sharing. 5. Consider nbstripout or similar tools in CI/CD to sanitize notebooks before merge. 6. Run Jupyter with minimum required OS privileges and network isolation.

What systems are affected by CVE-2018-8768?

This vulnerability affects the following AI/ML architecture patterns: Data science workstations, ML training pipelines, Collaborative notebook environments, JupyterHub multi-user deployments, MLOps experimentation platforms.

What is the CVSS score for CVE-2018-8768?

CVE-2018-8768 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.12%.

Technical Details

NVD Description

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Exploitation Scenario

An adversary targeting an ML engineering team crafts a malicious notebook file containing invalid HTML with an embedded payload — e.g., an img tag with a malformed src attribute that jQuery 'repairs' post-sanitization into a valid XSS vector. The file is uploaded to a public GitHub repo mimicking a legitimate ML tutorial, or sent via Slack as 'a useful training script'. A data scientist opens it in their unpatched Jupyter instance. The JavaScript executes, harvests the Jupyter session cookie, and POSTs it to an attacker-controlled server. The attacker now has full access to the Jupyter server, its filesystem, training data, API keys in environment variables, and any connected databases.