jupyter-server: path traversal exposes sibling dir files — AWAITING NVD (CVE-2026-5422)

CISO Take

A path traversal flaw in jupyter-server 2.17.0 allows an authenticated user to read and write files outside the designated root directory by exploiting a missing trailing separator in the boundary check combined with unstripped '..' path components in the to_os_path() utility. In shared or multi-tenant Jupyter environments — common in AI/ML research clusters, data science platforms, and educational institutions — this means one user can access another's notebooks, training datasets, API keys, or model artifacts stored in adjacent directories. No CVSS score or EPSS data is published yet and no public exploit or KEV listing exists, but the attack primitive is classic path traversal requiring minimal skill from any authenticated user on a shared system. Upgrade jupyter-server beyond 2.17.0 immediately on any shared deployment; single-user containerized instances have significantly reduced exposure.

Sources: NVD ATLAS huntr.com

What is the risk?

Medium-High for multi-tenant or shared Jupyter deployments (JupyterHub, hosted data science platforms, research institution servers). Low for isolated single-user containerized instances. The root boundary bypass requires only basic path manipulation — no AI/ML expertise needed — making it accessible to any authenticated user on a shared system. Blast radius is bounded by what sibling directories contain, but in AI/ML environments these commonly hold sensitive assets: dataset files, model weights, environment configs with API keys, and SSH credentials.

Attack Kill Chain

Initial Access

Attacker obtains a standard authenticated user account on a shared Jupyter deployment such as JupyterHub, a hosted data science platform, or a multi-user research server.

AML.T0012

Exploitation

Attacker crafts an API request to jupyter-server's /api/contents endpoint with a path containing '../' sequences targeting a sibling directory whose name shares the root_dir prefix, bypassing the flawed startswith() boundary check in _get_os_path().

AML.T0049

Collection

Attacker reads or enumerates sensitive files from adjacent user workspaces or system directories — training datasets, model weights, API keys, SSH credentials, or proprietary notebooks stored outside the intended root.

AML.T0037

Impact

Stolen AI artifacts and credentials are exfiltrated, or attacker writes malicious notebook content to victim workspaces enabling follow-on training data poisoning, credential-based lateral movement, or code execution on the victim's next kernel start.

AML.T0025

Initial Access

Attacker obtains a standard authenticated user account on a shared Jupyter deployment such as JupyterHub, a hosted data science platform, or a multi-user research server.

AML.T0012

Exploitation

Attacker crafts an API request to jupyter-server's /api/contents endpoint with a path containing '../' sequences targeting a sibling directory whose name shares the root_dir prefix, bypassing the flawed startswith() boundary check in _get_os_path().

AML.T0049

Collection

Attacker reads or enumerates sensitive files from adjacent user workspaces or system directories — training datasets, model weights, API keys, SSH credentials, or proprietary notebooks stored outside the intended root.

AML.T0037

Impact

Stolen AI artifacts and credentials are exfiltrated, or attacker writes malicious notebook content to victim workspaces enabling follow-on training data poisoning, credential-based lateral movement, or code execution on the victim's next kernel start.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
jupyter	pip	—	No patch
13.2K OpenSSF 5.2 1.9K dependents Pushed 5d ago 74% patched ~14d to patch Full package profile →
notebook	pip	—	No patch
13.2K OpenSSF 5.2 3.0K dependents Pushed 5d ago 69% patched ~454d to patch Full package profile →

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

1 step

1) Upgrade jupyter-server to a version beyond 2.17.0 — monitor the project GitHub releases for the patched build (reference: huntr.com bounty 24a36953). 2) For shared deployments, isolate each user's Jupyter root to a dedicated containerized or VM-based environment — do not rely solely on directory-level path checks. 3) Audit the directory structure around your Jupyter root for sensitive files reachable via sibling-directory traversal. 4) Implement filesystem-level ACLs (AppArmor or SELinux profiles) restricting the Jupyter process strictly to its intended root tree. 5) Monitor server access logs for requests to /api/contents containing '../' or percent-encoded traversal sequences in file path parameters.

Classification

Data Extraction Code Execution Framework Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - Data for AI systems — security and integrity

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-5422?

A path traversal flaw in jupyter-server 2.17.0 allows an authenticated user to read and write files outside the designated root directory by exploiting a missing trailing separator in the boundary check combined with unstripped '..' path components in the to_os_path() utility. In shared or multi-tenant Jupyter environments — common in AI/ML research clusters, data science platforms, and educational institutions — this means one user can access another's notebooks, training datasets, API keys, or model artifacts stored in adjacent directories. No CVSS score or EPSS data is published yet and no public exploit or KEV listing exists, but the attack primitive is classic path traversal requiring minimal skill from any authenticated user on a shared system. Upgrade jupyter-server beyond 2.17.0 immediately on any shared deployment; single-user containerized instances have significantly reduced exposure.

Is CVE-2026-5422 actively exploited?

No confirmed active exploitation of CVE-2026-5422 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-5422?

1) Upgrade jupyter-server to a version beyond 2.17.0 — monitor the project GitHub releases for the patched build (reference: huntr.com bounty 24a36953). 2) For shared deployments, isolate each user's Jupyter root to a dedicated containerized or VM-based environment — do not rely solely on directory-level path checks. 3) Audit the directory structure around your Jupyter root for sensitive files reachable via sibling-directory traversal. 4) Implement filesystem-level ACLs (AppArmor or SELinux profiles) restricting the Jupyter process strictly to its intended root tree. 5) Monitor server access logs for requests to /api/contents containing '../' or percent-encoded traversal sequences in file path parameters.

What systems are affected by CVE-2026-5422?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data science workspaces, agent frameworks, model development environments, MLOps platforms.

What is the CVSS score for CVE-2026-5422?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

training pipelinesdata science workspacesagent frameworksmodel development environmentsMLOps platforms

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

Technical Details

Original Advisory

A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator, allowing sibling directories with names starting with the same prefix as root_dir to bypass the check. Additionally, the to_os_path() function in utils.py does not strip ".." from path parts, enabling traversal sequences to bypass the vulnerable check. This vulnerability can lead to unauthorized read/write access to files in sibling directories, potentially exposing sensitive data in shared hosting environments.

Exploitation Scenario

An authenticated user on a shared JupyterHub deployment targets a colleague's workspace: they craft a request to the /api/contents endpoint with a path like '../jupyter-user-bob-workspace/../.env' or similar payload targeting a sibling directory whose name starts with the same prefix as the configured root_dir. The boundary check passes because 'startswith(root)' matches the prefix without validating the trailing separator boundary, and since '../' is not stripped from path components by to_os_path(), the traversal resolves to the adjacent directory. The attacker reads API keys, training data, or proprietary model artifacts from the victim workspace, or writes a malicious notebook that executes on the victim's next kernel start, enabling training data poisoning or credential-based lateral movement.