Path Traversal Vulnerability in Jupyter Server Allows Unauthorized Directory Access
CVE-2026-35397

7.6HIGH

Key Information:

Vendor: Jupyter-server
Status: Jupyter Server
Vendor: CVE Published:; 5 May 2026

🔔 Create Jupyter-server Vulnerability Alert

What is CVE-2026-35397?

In Jupyter Server versions 2.17.0 and earlier, a path traversal vulnerability exists within the REST API that allows authenticated users to bypass the configured root directory. This can lead to unauthorized access to sibling directories that share a common prefix with the root directory. For example, a directory named 'test' could potentially expose access to 'testtest' and others. This weakness poses a risk especially for multi-tenant environments with predictable naming conventions, allowing users to access unintended directories and manipulate files. The vulnerability could be mitigated by transitioning to version 2.18.0, which addresses this issue, or by avoiding folder names that share prefixes with sibling directories.

Affected Version(s)

jupyter_server < 2.18.0

References

https://github.com/jupyter-server/jupyter_server/security...

x_refsource_CONFIRM

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35397 Data

JSON