CVE-2026-33588 Overview
CVE-2026-33588 is a path traversal vulnerability in Open Notebook v1.8.3. The flaw resides in the application's file upload functionality, which fails to validate user-supplied input. An authenticated application user can craft file paths containing directory traversal sequences to create or modify files on the underlying Docker container outside the intended upload directory.
The issue is classified under CWE-20: Improper Input Validation. Successful exploitation impacts file integrity and availability on the host container.
Critical Impact
An attacker with application access can write arbitrary files inside the Open Notebook Docker container, enabling tampering with application files, configuration overwrite, or planting of malicious artifacts.
Affected Products
- Open Notebook v1.8.3
- Deployments using the affected Open Notebook Docker container image
- Self-hosted instances exposing the file upload endpoint to authenticated users
Discovery Timeline
- 2026-05-07 - CVE-2026-33588 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-33588
Vulnerability Analysis
Open Notebook v1.8.3 exposes a file upload feature intended to store user content within a designated directory inside the Docker container. The endpoint accepts a filename or path parameter from the client without sanitizing traversal sequences such as ../. As a result, the application resolves the supplied path relative to a writable location and writes the uploaded content there.
Because the vulnerability is in upload handling, the impact is on integrity and availability rather than confidentiality. An attacker can overwrite application files, drop scripts into directories that the runtime may execute, or corrupt configuration files used by Open Notebook. The advisory does not document confidentiality loss through this vector.
Exploitation requires local-level access to the application as defined by the CVSS attack vector, but no privileges and no user interaction beyond submitting a crafted upload request.
Root Cause
The root cause is missing validation and canonicalization of user-controlled file path input in the upload handler. The code does not reject path components such as .., absolute paths, or symbolic link references before joining them with the upload base directory. See the GitHub Security Advisory GHSA-x4q2-89g5-594v for advisory details.
Attack Vector
An application user submits an upload request whose target filename includes traversal sequences. The server concatenates the value with the upload directory and writes the file at the resolved location. The attacker chooses the destination to overwrite or create files anywhere the container process has write access, including paths used for scheduled tasks, application logic, or persisted configuration.
No public proof-of-concept or exploit entry was referenced in the advisory at the time of publication.
Detection Methods for CVE-2026-33588
Indicators of Compromise
- Files appearing outside the configured Open Notebook upload directory inside the Docker container
- Modification timestamps on application or configuration files that do not align with deployment events
- HTTP requests to the upload endpoint containing .., %2e%2e, or absolute path prefixes in filename parameters
- Unexpected new files in directories such as /app, /etc, or other writable locations within the container
Detection Strategies
- Inspect web server and application access logs for upload requests with filename fields containing traversal sequences or absolute paths
- Compare the running container filesystem against the original image to identify drift in non-data directories
- Enable file integrity monitoring on the Open Notebook container for application code and configuration paths
Monitoring Recommendations
- Forward Open Notebook application logs and reverse proxy logs to a centralized logging system for retention and search
- Alert on writes to sensitive paths inside the container that are outside the documented upload directory
- Track outbound network activity from the container to detect post-exploitation behavior following file tampering
How to Mitigate CVE-2026-33588
Immediate Actions Required
- Restrict access to the Open Notebook application to trusted users only until a fix is applied
- Place the application behind authenticated reverse proxy controls and disable anonymous routes to the upload endpoint
- Run the Open Notebook container as a non-root user with a read-only root filesystem where feasible
- Review the container filesystem for unauthorized files written outside the intended upload directory
Patch Information
Refer to the Open Notebook GitHub Security Advisory GHSA-x4q2-89g5-594v for upstream remediation guidance and fixed version information. Upgrade to a release that includes input validation and path canonicalization in the file upload handler.
Workarounds
- Mount the upload directory as a dedicated volume and set all other container paths to read-only to prevent traversal writes
- Add a reverse proxy rule that rejects requests whose body or query parameters contain .., %2e%2e, or absolute path prefixes targeting the upload endpoint
- Apply Linux capabilities restrictions and a seccomp profile to the container to reduce post-exploitation impact
# Example Docker hardening for Open Notebook deployments
docker run \
--read-only \
--tmpfs /tmp \
--user 10001:10001 \
--cap-drop ALL \
--security-opt no-new-privileges \
-v open-notebook-uploads:/app/uploads \
open-notebook:patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
