Path Traversal Vulnerability in Jupyter nbconvert Tool
CVE-2026-39378

6.5MEDIUM

Key Information:

Vendor: Jupyter
Status: Nbconvert
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-39378?

The nbconvert tool in Jupyter, used for converting notebooks into multiple formats, has a path traversal vulnerability that affects versions up to 7.17.0. When the HTMLExporter feature is set to embed images, a maliciously crafted Jupyter notebook can exploit this vulnerability to read arbitrary files on the server. This is accomplished by embedding sensitive file data as base64 encoded URIs within the generated HTML output. As a precaution, it is recommended to avoid enabling the HTMLExporter.embed_images option, which is disabled by default, or upgrade to version 7.17.1, which resolves this vulnerability.

Affected Version(s)

nbconvert >= 6.5, < 7.17.1

References

https://github.com/jupyter/nbconvert/security/advisories/...

x_refsource_CONFIRM

https://github.com/jupyter/nbconvert/releases/tag/v7.17.1

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39378 Data

JSON