Skip to content

Path traversal via jupyter-server REST API allows access to a subset of directories sibling to the `root_dir`

High
Yann-P published GHSA-5789-5fc7-67v3 May 5, 2026

Package

pip jupyter-server (pip)

Affected versions

<=2.17.0

Patched versions

2.18.0

Description

Summary

Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.

PoC

Minimal:

.
├── test/              <- root directory.
│   └── test.txt
└── testtest/
    └── secret.txt     <- file to exfiltrate that we should not be able to access via API

HOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"

curl -s -X POST \
  "$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
  -H "Authorization: token $TOKEN"

Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006

Impact

It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.

This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.

In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.

Workarounds

Use folder names that do not overlap.

Acknowledgments

Thank you to @stef41 for providing a useful PoC.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CVE ID

CVE-2026-35397

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits