CVE-2026-39377: Jupyter Notebook path traversal

CISO Take

nbconvert's ExtractAttachmentsPreprocessor passes cell attachment filenames directly to the filesystem without sanitization, allowing an attacker to write arbitrary content to any path reachable by the running process via `../` traversal sequences embedded in a crafted notebook. With 2,931 downstream dependents spanning Jupyter-based ML pipelines, CI/CD systems, and automated reporting workflows, the attack surface extends well beyond direct nbconvert users — and the attacker controls destination path, filename, extension, and full file content, creating a powerful write primitive that can overwrite SSH keys, cron jobs, or Python scripts. Absolute exploitation probability remains low (EPSS 0.044%), there is no public exploit, and CISA rates this TRACK, but the 87th-percentile EPSS ranking and an OpenSSF Scorecard of only 4.9/10 signal a modestly-maintained package with meaningful exposure in automated pipeline contexts. Upgrade to nbconvert v7.17.1 immediately; where patching is blocked, disable the preprocessor with `c.ExtractAttachmentsPreprocessor.enabled = False` and enforce least-privilege filesystem permissions on the nbconvert process.

Sources: NVD GitHub Advisory EPSS OpenSSF ATLAS

What is the risk?

Medium CVSS (6.5) but operationally elevated in AI/ML environments where notebook processing is automated and often runs with broad filesystem permissions. The attacker controls the complete write primitive — path, filename, extension, and content — enabling overwrite of SSH authorized_keys, cron scripts, or Python package files to pivot toward persistent access or code execution. No public exploit or KEV listing keeps urgency at TRACK, but 2,931 downstream dependents and an OpenSSF score of 4.9/10 signal a wide, modestly-maintained attack surface. Risk escalates sharply in multi-tenant data science platforms or CI/CD pipelines that accept external notebook submissions from untrusted parties.

How does the attack unfold?

Craft Malicious Notebook

Adversary creates a Jupyter notebook with a cell attachment whose filename contains path traversal sequences (e.g., `../../.ssh/authorized_keys`) and populates the attachment content with a malicious payload such as an SSH public key or backdoored Python script.

AML.T0011.000

Notebook Submission

The crafted notebook is delivered to a target pipeline — a CI/CD system, data science platform, or automated reporting service — that processes external notebooks with a vulnerable nbconvert version.

AML.T0049

Path Traversal Exploitation

nbconvert's ExtractAttachmentsPreprocessor processes the attachment without filename sanitization, writing the attacker-controlled content to an arbitrary filesystem path outside the intended output directory.

AML.T0010.001

Persistence and Escalation

Overwritten files — SSH authorized_keys, cron scripts, or Python modules in site-packages — grant the adversary persistent access or code execution within the ML infrastructure on next invocation, without any authentication alert.

AML.T0010.001

Craft Malicious Notebook

Adversary creates a Jupyter notebook with a cell attachment whose filename contains path traversal sequences (e.g., `../../.ssh/authorized_keys`) and populates the attachment content with a malicious payload such as an SSH public key or backdoored Python script.

AML.T0011.000

Notebook Submission

The crafted notebook is delivered to a target pipeline — a CI/CD system, data science platform, or automated reporting service — that processes external notebooks with a vulnerable nbconvert version.

AML.T0049

Path Traversal Exploitation

nbconvert's ExtractAttachmentsPreprocessor processes the attachment without filename sanitization, writing the attacker-controlled content to an arbitrary filesystem path outside the intended output directory.

AML.T0010.001

Persistence and Escalation

Overwritten files — SSH authorized_keys, cron scripts, or Python modules in site-packages — grant the adversary persistent access or code execution within the ML infrastructure on next invocation, without any authentication alert.

AML.T0010.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Jupyter Notebook	pip	>= 6.5.0, < 7.17.1	`7.17.1`
13.2K OpenSSF 5.6 3.0K dependents Pushed 7d ago 60% patched ~454d to patch Full package profile →

Do you use Jupyter Notebook? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I High

A None

What should I do?

6 steps

Upgrade nbconvert to v7.17.1 immediately (pip install 'nbconvert>=7.17.1').
If patching is blocked, disable the vulnerable component in Jupyter config: c.ExtractAttachmentsPreprocessor.enabled = False.
Apply principle of least privilege — run nbconvert under a restricted service account with write access scoped only to designated output directories.
In CI/CD and multi-tenant contexts, sandbox notebook execution in containers with read-only mounts for everything outside the output directory.
Validate attachment filenames server-side before any processing — reject inputs containing .., absolute paths, or null bytes.
Detect exploitation by monitoring for filesystem writes from nbconvert processes outside expected output paths using auditd, Falco, or equivalent runtime security tooling.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2026-39377?

nbconvert's ExtractAttachmentsPreprocessor passes cell attachment filenames directly to the filesystem without sanitization, allowing an attacker to write arbitrary content to any path reachable by the running process via `../` traversal sequences embedded in a crafted notebook. With 2,931 downstream dependents spanning Jupyter-based ML pipelines, CI/CD systems, and automated reporting workflows, the attack surface extends well beyond direct nbconvert users — and the attacker controls destination path, filename, extension, and full file content, creating a powerful write primitive that can overwrite SSH keys, cron jobs, or Python scripts. Absolute exploitation probability remains low (EPSS 0.044%), there is no public exploit, and CISA rates this TRACK, but the 87th-percentile EPSS ranking and an OpenSSF Scorecard of only 4.9/10 signal a modestly-maintained package with meaningful exposure in automated pipeline contexts. Upgrade to nbconvert v7.17.1 immediately; where patching is blocked, disable the preprocessor with `c.ExtractAttachmentsPreprocessor.enabled = False` and enforce least-privilege filesystem permissions on the nbconvert process.

Is CVE-2026-39377 actively exploited?

No confirmed active exploitation of CVE-2026-39377 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39377?

1. Upgrade nbconvert to v7.17.1 immediately (`pip install 'nbconvert>=7.17.1'`). 2. If patching is blocked, disable the vulnerable component in Jupyter config: `c.ExtractAttachmentsPreprocessor.enabled = False`. 3. Apply principle of least privilege — run nbconvert under a restricted service account with write access scoped only to designated output directories. 4. In CI/CD and multi-tenant contexts, sandbox notebook execution in containers with read-only mounts for everything outside the output directory. 5. Validate attachment filenames server-side before any processing — reject inputs containing `..`, absolute paths, or null bytes. 6. Detect exploitation by monitoring for filesystem writes from nbconvert processes outside expected output paths using auditd, Falco, or equivalent runtime security tooling.

What systems are affected by CVE-2026-39377?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, notebook-based ML workflows, CI/CD model development pipelines, automated reporting systems, data science platforms.

What is the CVSS score for CVE-2026-39377?

CVE-2026-39377 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.05%.

What is the AI security impact?

Affected AI Architectures

training pipelinesnotebook-based ML workflowsCI/CD model development pipelinesautomated reporting systemsdata science platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

# Arbitrary File Write via Path Traversal in Cell Attachment Filenames ## Summary nbconvert allows arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. ## Impact This vulnerability allows writing files with arbitrary content to arbitrary filesystem locations, limited only by the permissions of the process running nbconvert. The attacker controls: - Full destination path (via `../` traversal) - Filename - File extension - File content ## Patches - upgrade to nbconvert v7.17.1 ## Workarounds disable ExtractAttachmentsPreprocessor by setting: ```python c. ExtractAttachmentsPreprocessor.enabled = False ```

Exploitation Scenario

An adversary targets a data science platform that accepts user-submitted notebooks for automated rendering and report generation. They craft a notebook containing a cell attachment with the filename `../../.ssh/authorized_keys`, setting the attachment content to their own SSH public key. When the platform's pipeline processes the notebook with vulnerable nbconvert, ExtractAttachmentsPreprocessor writes the attacker's key to the service account's SSH authorized_keys file. The adversary then authenticates via SSH with full access to model artifacts, training data, internal APIs, and the host filesystem — all without triggering authentication alerts, as the write occurred silently during routine notebook processing.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-73 External Control of File Name or Path Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.