CVE-2026-35397 — HIGH (CVSS 7.1) AI Security Vulnerability

Q: What is CVE-2026-35397?

Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories

Q: Is CVE-2026-35397 actively exploited?

No confirmed active exploitation of CVE-2026-35397 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35397?

Update to patched version: jupyter-server 2.18.0.

Q: What is the CVSS score for CVE-2026-35397?

CVE-2026-35397 has a CVSS v3.1 base score of 7.1 (HIGH).

### Summary Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name. ### PoC Minimal: ``` . ├── test/ <- root directory. │ └── test.txt └── testtest/ └── secret.txt <- file to exfiltrate that we should not be...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
jupyter-server	pip	<= 2.17.0	`2.18.0`
13.1K OpenSSF 4.8 1.9K dependents Pushed 5d ago 100% patched ~0d to patch Full package profile →

Do you use jupyter-server? You're affected.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Attack Surface

AV Network

AC High

PR Low

UI None

S Unchanged

C High

I High

A Low

Recommended Action

Patch available

Update jupyter-server to version 2.18.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-35397?

Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories

Is CVE-2026-35397 actively exploited?

No confirmed active exploitation of CVE-2026-35397 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35397?

Update to patched version: jupyter-server 2.18.0.

What is the CVSS score for CVE-2026-35397?

CVE-2026-35397 has a CVSS v3.1 base score of 7.1 (HIGH).

Technical Details

NVD Description

### Summary Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name. ### PoC Minimal: ``` . ├── test/ <- root directory. │ └── test.txt └── testtest/ └── secret.txt <- file to exfiltrate that we should not be able to access via API ``` ```bash HOST="http://localhost:8888" TOKEN="" SIBLING="testtest" TARGET="secret.txt" curl -s -X POST \ "$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \ -H "Authorization: token $TOKEN" ``` Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006 ### Impact It is possible for an authenticated user to access content outside the server's `root_dir` in siblings directories sharing the same prefix as the `root_dir`. The attacker can escalate access, reading, writing, and deleting from sibling directories. This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example `user1`, `user2`, `user3`, ..., `user10` etc, as `user1` could access and modify files of all `user10` - `user19` and higher. In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories. ### Workarounds Use folder names that do not overlap. ### Acknowledgments Thank you to @stef41 for providing a useful PoC.