CVE-2026-5422: Jupyter Server Path Traversal – Privilege Escalation in Multi-Tenant Environments
A flaw in Jupyter Server version 2.17.0 allows authenticated users to read and write files outside their intended directory boundaries. The vulnerability stems from an incomplete security check that fails to properly validate file path requests, allowing attackers to access sibling directories and potentially sensitive files in shared hosting environments. An attacker with login credentials can exploit this to breach confidentiality and integrity of data across directory structures that were meant to be isolated.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-23
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator, allowing sibling directories with names starting with the same prefix as root_dir to bypass the check. Additionally, the to_os_path() function in utils.py does not strip ".." from path parts, enabling traversal sequences to bypass the vulnerable check. This vulnerability can lead to unauthorized read/write access to files in sibling directories, potentially exposing sensitive data in shared hosting environments.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-5422 is a path traversal vulnerability in jupyter-server 2.17.0 affecting the _get_os_path() function in jupyter_server/services/contents/fileio.py. The root cause involves two distinct flaws: (1) the root directory boundary check uses startswith(root) without enforcing a trailing path separator, permitting sibling directories whose names begin with the same prefix as root_dir to evade the check, and (2) the to_os_path() function in utils.py fails to normalize or strip ".." sequences from path components, enabling traversal payloads to bypass the weakened boundary validation. This combination allows authenticated users to construct paths that traverse outside the intended root directory.
Business impact
In multi-tenant or shared hosting environments, this vulnerability enables privilege escalation within a single server instance. An authenticated Jupyter user can read sensitive notebooks, configuration files, or data belonging to other users on the same server, or modify them maliciously. For organizations relying on Jupyter for collaborative data science or education, this represents a material confidentiality and integrity risk, particularly if the server hosts proprietary models, research data, or user-specific credentials. Incident response may require audit of file access logs and assessment of what data exposure occurred.
Affected systems
Jupyter Server version 2.17.0 is confirmed affected. Organizations running this specific version in multi-user or shared hosting scenarios are at direct risk. Verify whether your deployment uses this version via 'jupyter --version' or inspection of installed packages. Environments where Jupyter is containerized, isolated per user, or running in single-user mode have reduced but non-zero risk depending on threat model.
Exploitability
Exploitation requires valid Jupyter credentials (PR:L in CVSS) and network access to the Jupyter Server (AV:N). No user interaction is needed (UI:N), and exploitation is straightforward given knowledge of target directory names. The attack is not complex (AC:L). An authenticated attacker can craft a malicious API request or upload a notebook that exploits the path traversal during file operations. No public exploit is known to be in active use, but the flaw is logically obvious to security researchers and likely to be weaponized once widely known.
Remediation
Upgrade Jupyter Server to a patched version that corrects both the startswith() boundary check (adding path separator enforcement) and the path normalization in to_os_path(). Verify the specific patched version against the official Jupyter security advisory. As an interim measure, restrict Jupyter Server to single-user deployments, disable file upload/creation APIs if not required, or segregate users into separate server instances. Monitor file access logs for suspicious path traversal patterns (".." sequences in API requests).
Patch guidance
Check the official Jupyter project security advisory and release notes for the specific version that patches CVE-2026-5422. Apply the recommended update via 'pip install --upgrade jupyter-server=X.Y.Z' (substituting the patched version number). Verify the patch is installed with 'jupyter --version' and restart all running Jupyter Server instances. Test in a staging environment first to ensure no dependency conflicts or behavioral regressions. Coordinate patching across all affected servers in your environment.
Detection guidance
Search Jupyter Server logs and access logs for API requests containing ".." path traversal sequences, particularly in file read/write endpoints (e.g., /api/contents/). Monitor for unauthorized file access or modification events outside a user's designated directory. Endpoint detection and response (EDR) tools should flag child processes spawned by Jupyter with unusual file I/O patterns. Network-based detection is challenging without deep packet inspection; log analysis at the application layer is more effective. Check for suspicious patterns in Jupyter's request logs and cross-correlate with file system audit logs if available.
Why prioritize this
This vulnerability scores 8.1 (HIGH) due to high confidentiality and integrity impact (C:H, I:H) combined with low attack complexity and low privilege requirements. Although it requires authentication, in shared or multi-tenant Jupyter deployments, the presence of regular users—students, interns, or external collaborators—means the barrier to exploitation is practical and not merely theoretical. The impact on data confidentiality and file integrity justifies rapid patching. Organizations should prioritize this for their next maintenance window.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network-accessible attack vector (AV:N) with no special network conditions required, (2) Low attack complexity (AC:L) since path traversal exploitation is straightforward, (3) Low privilege requirement (PR:L) because only user-level Jupyter authentication is needed, (4) No user interaction (UI:N), (5) High confidentiality impact (C:H) from unauthorized file read access, (6) High integrity impact (I:H) from unauthorized file write/modification, and (7) No availability impact (A:N). The HIGH severity is appropriate for environments where Jupyter is shared among untrusted or semi-trusted users.
Frequently asked questions
Does this affect single-user Jupyter deployments?
Single-user Jupyter instances where each user runs their own server are at lower risk because there is no shared root directory or other users to read from. However, if a single-user instance is later converted to multi-user mode, or if the attacker gains credentials through other means, the vulnerability still poses a risk. It is prudent to patch regardless of deployment model.
What is the difference between the startswith() check and path separator issues?
The startswith() check was meant to validate that a requested file path falls within the designated root directory. Without a trailing separator, a root directory '/data/users/alice' would incorrectly allow access to '/data/users/alice_private' because 'alice_private' starts with 'alice'. The missing separator is a classic path traversal bypass. The to_os_path() failure to normalize '..' sequences compounds this by allowing explicit traversal syntax to slip through.
Can I detect if this vulnerability was exploited in my environment?
Review Jupyter Server access logs and file system audit logs for the time period since the server was deployed on version 2.17.0. Look for API requests containing '..', unusual file access patterns outside a user's home directory, or file modification timestamps that don't align with expected activity. If available, enable detailed request logging on the Jupyter Server and correlate with system-level file access audits. However, log retention is often limited; immediate patching is more effective than relying on post-incident detection.
Is this vulnerability actively exploited in the wild?
As of the published date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of widespread active exploitation. However, the flaw is logically simple and will likely attract attacker attention once broader awareness increases. Do not interpret the absence of KEV status as low urgency; patch proactively based on the HIGH CVSS score and your environment's risk profile.
This analysis is based on the CVE description and CVSS vector as of the published date. Patch version numbers and specific remediation steps must be verified against the official Jupyter project security advisory before implementation. SEC.co does not guarantee the accuracy of vendor patch timelines or availability. Organizations should conduct their own risk assessment based on their specific Jupyter deployment architecture and user trust model. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41271HIGHWaterfall WF-500 Path Traversal – Arbitrary File Read Vulnerability
- CVE-2025-41280HIGHWaterfall WF-500 RX Host Path Traversal (Zip Slip) Code Execution Vulnerability
- CVE-2026-10073HIGHDreamMaker Arbitrary File Read via Relative Path Traversal
- CVE-2025-48977MEDIUMApache Ignite REST API Path Traversal – Authenticated File Read Vulnerability
- CVE-2026-10074MEDIUMDreamMaker Arbitrary File Read Vulnerability (MEDIUM)
- CVE-2026-48681MEDIUMOpenStack Ironic Directory Traversal File Overwrite (MEDIUM)
- CVE-2026-6657HIGHJupyter Server CORS Origin Validation Bypass Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access