CVE-2026-33587 Overview
CVE-2026-33587 is a Server-Side Template Injection (SSTI) vulnerability affecting Open Notebook version 1.8.3. The flaw stems from missing user input sanitisation in the user-created transformations feature. Authenticated application users can inject Python code through template expressions, achieving arbitrary code execution inside the Docker container hosting the application. Successful exploitation leads to operating system command execution within the container context. The vulnerability is tracked under CWE-20: Improper Input Validation.
Critical Impact
Authenticated users can execute arbitrary Python and OS commands inside the Open Notebook Docker container through SSTI in user-defined transformations.
Affected Products
- Open Notebook v1.8.3
- Open Notebook deployments using user-created transformations
- Docker container deployments of Open Notebook
Discovery Timeline
- 2026-05-07 - CVE-2026-33587 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-33587
Vulnerability Analysis
Open Notebook allows users to define custom transformations that process notebook content. The application renders these transformations through a templating engine without sanitising user-supplied template expressions. Attackers craft transformation payloads containing Python expressions that the engine evaluates server-side. The evaluation runs inside the Docker container hosting the application, granting access to the Python runtime and underlying operating system.
The attack requires application-level access but no elevated privileges. Once an authenticated user submits a malicious transformation, the template engine executes the embedded code during rendering. This bypasses any boundary the templating system was intended to enforce between user data and code execution.
The impact extends beyond the Python interpreter. Through standard Python modules, attackers spawn child processes, read environment secrets, exfiltrate notebook data, and pivot toward other services reachable from the container network. Container isolation limits but does not eliminate lateral movement risk.
Root Cause
The root cause is the absence of input sanitisation on user-created transformation templates. The application passes user-controlled strings directly to a template engine that supports arbitrary expression evaluation. No allow-list, sandbox, or expression filter restricts the available Python builtins or attribute access chains.
Attack Vector
An authenticated Open Notebook user creates or edits a transformation containing template syntax that resolves to Python code. When the application renders the transformation, the engine evaluates the payload. Common SSTI techniques traverse Python object attributes such as __class__, __bases__, and __subclasses__ to reach the os or subprocess modules and execute shell commands inside the container.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-f35w-wx37-26q7 for additional technical context.
Detection Methods for CVE-2026-33587
Indicators of Compromise
- Unexpected child processes spawned by the Open Notebook application process inside the container, such as sh, bash, or python invoking system utilities.
- Outbound network connections from the Open Notebook container to unfamiliar destinations following transformation execution.
- Transformation records containing template syntax referencing __class__, __mro__, __subclasses__, os.popen, or subprocess.
- Container filesystem changes in directories not normally written to by the application, including /tmp or /var/tmp.
Detection Strategies
- Inspect stored transformation definitions for template metacharacters and Python dunder attribute traversal patterns.
- Monitor process trees within the Open Notebook container for shell invocations descended from the Python application worker.
- Correlate transformation creation and edit events with subsequent process or network anomalies in the container.
Monitoring Recommendations
- Enable application-level audit logging for transformation creation, modification, and execution events.
- Forward container runtime telemetry, including process and network events, to a centralised analytics platform for retention and review.
- Alert on any execution of os, subprocess, or socket module calls originating from transformation rendering paths.
How to Mitigate CVE-2026-33587
Immediate Actions Required
- Restrict access to the Open Notebook application to trusted users until a fixed version is deployed.
- Audit existing user-created transformations for suspicious template expressions and remove any that contain code execution payloads.
- Rotate any secrets, API keys, or credentials accessible from the Open Notebook container environment.
Patch Information
Consult the GitHub Security Advisory GHSA-f35w-wx37-26q7 for the maintainer's guidance on fixed versions and upgrade instructions. Apply the vendor-supplied update once available and validate that transformation rendering enforces input sanitisation.
Workarounds
- Disable the user-created transformations feature where the deployment configuration permits.
- Limit transformation creation privileges to a small set of administrative accounts.
- Run the Open Notebook container with a read-only root filesystem, dropped Linux capabilities, and a non-root user to reduce post-exploitation impact.
- Apply egress network policies that restrict outbound traffic from the container to required destinations only.
# Configuration example: restrict container privileges
docker run \
--read-only \
--cap-drop=ALL \
--security-opt=no-new-privileges \
--user 1000:1000 \
--network open-notebook-net \
open-notebook:patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
