Fluid Attacks Database

Description

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jupyter-server	>=0 <2.18.0	2.18.0
debian 11	jupyter-server	=1.10.2-1 \|\| =1.11.0-1 \|\| =1.11.1-1 \|\| =1.12.0-1 \|\| =1.12.1-1 \|\| =1.13.1-1 \|\| =1.16.0-1 \|\| =1.17.0-1 \|\| =1.17.1-1 \|\| =1.18.1-1 \|\| =1.18.1-2 \|\| =1.2.2-1 \|\| =1.21.0-1 \|\| =1.23.2-1 \|\| =1.23.3-1 \|\| =1.23.3-2 \|\| =2.14.0-1 \|\| =2.14.2-1 \|\| =2.14.2-2 \|\| =2.14.2-3 \|\| =2.14.2-4 \|\| =2.14.2-5 \|\| =2.15.0-1 \|\| =2.17.0-1 \|\| =2.9.1-1	-
debian 12	jupyter-server	=1.23.3-1 \|\| =1.23.3-2 \|\| =2.14.0-1 \|\| =2.14.2-1 \|\| =2.14.2-2 \|\| =2.14.2-3 \|\| =2.14.2-4 \|\| =2.14.2-5 \|\| =2.15.0-1 \|\| =2.17.0-1 \|\| =2.9.1-1	-
debian 13	jupyter-server	=2.15.0-1 \|\| =2.17.0-1	-
debian 14	jupyter-server	=2.15.0-1 \|\| =2.17.0-1	-

Aliases

1. CVE-2026-353972. NVD-2026-353973. OSV-2026-353974. OSV-DEBIAN-2026-353975. GHSA-5789-5fc7-67v36. GCVE-2026-353977. SECURITY-TRACKER-CVE-2026-35397

References

1. https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v32. https://github.com/HiteshGorana/susvibes-jupyter-server-cve-2026-35397

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.