CVE-2026-35397 Overview
CVE-2026-35397 is a path traversal vulnerability [CWE-22] in Jupyter Server, the backend that powers Jupyter web applications. The flaw affects versions 2.17.0 and earlier. An authenticated user can escape the configured root_dir and reach sibling directories whose names share a common prefix with the configured root. The /api/contents REST endpoint accepts crafted requests with encoded path components, allowing read, write, and delete operations on those sibling directories. Multi-tenant deployments using predictable naming schemes face the highest exposure, since a user with a directory named user1 can reach user10 through user19. Jupyter Server 2.18.0 contains the fix.
Critical Impact
Authenticated users can read, write, and delete arbitrary files in sibling directories sharing a name prefix with their configured root, breaking tenant isolation in shared Jupyter deployments.
Affected Products
- Jupyter Server versions 2.17.0 and earlier
- Multi-tenant Jupyter deployments using predictable per-user directory naming
- Jupyter web application stacks that depend on Jupyter Server as their backend
Discovery Timeline
- 2026-05-05 - CVE-2026-35397 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-35397
Vulnerability Analysis
The vulnerability resides in the /api/contents REST API of Jupyter Server. The contents handler validates requested paths against the configured root_dir using a prefix comparison rather than a strict directory boundary check. An attacker submits a request with encoded path components that, after decoding, resolve to a sibling path on disk whose name starts with the same characters as root_dir. The server treats the resolved path as in-scope and serves the request. The result is full file-level access — read, write, and delete — across any sibling directory matching the prefix. Jupyter Server 2.18.0 introduces a corrected boundary check that requires a path separator after the root prefix.
Root Cause
The root cause is improper path containment enforcement [CWE-22]. The code compares resolved paths to root_dir using a string-prefix match instead of verifying that the resolved path is a true descendant of the root directory. Any sibling directory whose name begins with the root_dir value satisfies the check.
Attack Vector
Exploitation requires network reachability to the Jupyter Server REST API and a valid authenticated session (PR:L). The attacker issues HTTP requests to /api/contents containing URL-encoded path segments that resolve outside the intended root. With a root_dir of test, requests targeting testtest succeed. In multi-tenant setups, a user provisioned with a single-character directory such as a can reach every sibling beginning with a. No user interaction is needed.
No public proof-of-concept code is available. See the GitHub Security Advisory GHSA-5789-5fc7-67v3 for technical details.
Detection Methods for CVE-2026-35397
Indicators of Compromise
- HTTP requests to /api/contents/ containing URL-encoded path separators such as %2F or .. sequences in path segments.
- Access to file paths whose first component shares a prefix with another tenant's root_dir but is not an exact match.
- Unexpected PUT, POST, or DELETE operations from one user's session targeting files outside their assigned workspace.
Detection Strategies
- Parse Jupyter Server access logs and alert on /api/contents requests where the resolved filesystem path leaves the user's authorized root_dir.
- Correlate authenticated user identity with the directory prefix of accessed resources to flag cross-tenant access patterns.
- Inspect application logs for 4xx/5xx responses on /api/contents that may indicate enumeration of sibling directories.
Monitoring Recommendations
- Enable verbose request logging on Jupyter Server and forward logs to a centralized analytics platform for long-term retention.
- Establish baselines for per-user file operation volume and alert on deviations indicating directory enumeration.
- Monitor filesystem audit events (auditd, fanotify) on hosts running Jupyter Server for writes to directories outside the expected per-user roots.
How to Mitigate CVE-2026-35397
Immediate Actions Required
- Upgrade Jupyter Server to version 2.18.0 or later on every host running the backend.
- Audit existing tenant directory layouts for shared name prefixes and rename any folders that collide with another tenant's root.
- Review access logs for prior /api/contents requests that resolved outside the intended root_dir.
Patch Information
The Jupyter Server maintainers fixed the path containment check in version 2.18.0. Refer to the GitHub Security Advisory GHSA-5789-5fc7-67v3 for release notes and the corresponding code change.
Workarounds
- Ensure no folder name shares a common prefix with any sibling directory on the host filesystem.
- Avoid single-character or short tenant directory names; use unique, non-overlapping identifiers such as UUIDs.
- Place each tenant's root_dir inside its own parent directory so siblings of the root are controlled by the operator, not other tenants.
# Configuration example: upgrade and isolate tenant roots
pip install --upgrade 'jupyter_server>=2.18.0'
# Recommended directory layout (each tenant isolated under its own parent)
# /srv/jupyter/tenants/<uuid>/workspace
mkdir -p /srv/jupyter/tenants/$(uuidgen)/workspace
jupyter server --ServerApp.root_dir=/srv/jupyter/tenants/<uuid>/workspace
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
