CVE-2026-33589 Overview
CVE-2026-33589 is a path traversal vulnerability in the file upload functionality of Open Notebook v1.8.3. The application fails to validate user-supplied input, allowing an authenticated user to read arbitrary files from the underlying Docker container. Attackers can leverage this flaw to access sensitive configuration files, secrets, and application source code stored within the container filesystem. The issue is tracked under CWE-20: Improper Input Validation.
Critical Impact
Authenticated users can traverse the container filesystem and read local file contents accessible to the Open Notebook process.
Affected Products
- Open Notebook v1.8.3
- Open Notebook deployments using the official Docker container
- Earlier releases of Open Notebook that share the unpatched file upload handler
Discovery Timeline
- 2026-05-07 - CVE-2026-33589 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-33589
Vulnerability Analysis
Open Notebook is an open-source research and note-taking application distributed as a Docker container. Version 1.8.3 exposes a file upload endpoint that accepts user-controlled path components without sanitization. An application user can submit crafted input containing directory traversal sequences such as ../ to escape the intended upload directory.
The vulnerability allows local file disclosure within the container boundary. Affected files include application configuration, environment files, and any secrets mounted into the container. The CVSS 4.0 vector indicates the attack vector is local with no privileges or user interaction required, and the impact is confined to confidentiality.
Root Cause
The root cause is the absence of input validation on filename and path parameters supplied to the upload handler. The application concatenates user input into filesystem paths without canonicalization or allowlist enforcement. Sequences such as ../../etc/passwd resolve to locations outside the intended upload directory.
Attack Vector
An attacker authenticated to Open Notebook submits a file upload request with a manipulated path parameter. The server resolves the traversal sequence and returns or stores file content from the targeted location inside the container. No exploitation in the wild has been reported, and no public proof-of-concept is referenced in the advisory.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-842v-h4cj-r646. No verified exploit code is publicly available at this time.
Detection Methods for CVE-2026-33589
Indicators of Compromise
- HTTP requests to Open Notebook upload endpoints containing ../, ..\, or URL-encoded variants such as %2e%2e%2f
- Application access to files outside the configured upload directory, particularly /etc/, /proc/, or /app/ paths
- Unusual file read activity originating from the Open Notebook container process
Detection Strategies
- Inspect web access logs for upload requests containing traversal sequences or absolute paths
- Enable container runtime auditing to record file access by the Open Notebook process outside expected directories
- Apply web application firewall rules that block path traversal patterns in multipart/form-data filename fields
Monitoring Recommendations
- Forward Open Notebook application logs and container audit events to a centralized SIEM for correlation
- Alert on file reads targeting credential stores, .env files, and SSH keys within the container
- Track anomalous response sizes from upload endpoints that may indicate file content exfiltration
How to Mitigate CVE-2026-33589
Immediate Actions Required
- Restrict access to the Open Notebook instance to trusted users only and review existing user accounts
- Remove sensitive files, secrets, and credentials from the container filesystem where possible
- Deploy a reverse proxy or WAF rule that blocks traversal sequences in upload requests
Patch Information
Consult the GitHub Security Advisory GHSA-842v-h4cj-r646 for the official remediation guidance and fixed version information from the Open Notebook maintainers.
Workarounds
- Run the Open Notebook container as a non-root user with read-only filesystem mounts where feasible
- Mount secrets through external secret management rather than placing them in the container image
- Apply Docker security profiles such as seccomp and AppArmor to limit file access by the application process
# Configuration example: run Open Notebook with reduced filesystem exposure
docker run --read-only \
--tmpfs /tmp \
--user 1000:1000 \
--security-opt no-new-privileges \
--cap-drop ALL \
-v open-notebook-data:/app/data \
open-notebook:patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
