CVE-2026-39377 Overview
CVE-2026-39377 is a path traversal vulnerability affecting Jupyter nbconvert, a widely-used tool for converting Jupyter notebooks to various formats via Jinja templates. The vulnerability exists in versions 6.5 through 7.17.0, where the ExtractAttachmentsPreprocessor component fails to properly sanitize attachment filenames before writing them to the filesystem. This allows attackers to craft malicious notebooks containing specially-crafted cell attachment filenames that enable arbitrary file writes outside the intended output directory.
Critical Impact
Attackers can achieve arbitrary file writes with complete control over both destination path and file extension, potentially leading to code execution or system compromise through overwriting critical files.
Affected Products
- Jupyter nbconvert versions 6.5 through 7.17.0
- Applications and services that process untrusted Jupyter notebooks using nbconvert
- CI/CD pipelines and automated systems that convert Jupyter notebooks
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-39377 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-39377
Vulnerability Analysis
This path traversal vulnerability (CWE-22) occurs within the ExtractAttachmentsPreprocessor component of Jupyter nbconvert. The core issue stems from insufficient input validation when processing cell attachments embedded within Jupyter notebook files. When nbconvert processes a notebook for conversion, it extracts attachments and writes them to the output directory. However, the attachment filenames are passed directly to filesystem operations without proper sanitization.
The vulnerability requires user interaction—a victim must process a maliciously crafted notebook using nbconvert. Once triggered, an attacker gains complete control over the destination path where files are written, including the ability to specify arbitrary file extensions. This could enable an attacker to overwrite configuration files, inject malicious scripts, or plant executable files in strategic locations.
Root Cause
The root cause lies in the ExtractAttachmentsPreprocessor module, which directly passes user-controlled attachment filenames to filesystem write operations without sanitizing path traversal sequences such as ../ or absolute paths. The component fails to validate that the resulting file path remains within the intended output directory boundary.
Attack Vector
The attack requires network-based delivery of a malicious Jupyter notebook file to a victim who then processes it using nbconvert. The attacker crafts a notebook containing cell attachments with filenames that include path traversal sequences. When the victim runs jupyter nbconvert on this malicious notebook, the ExtractAttachmentsPreprocessor writes the attachment content to an attacker-controlled location outside the intended output directory.
For example, an attachment filename containing sequences like ../../../etc/cron.d/malicious would cause nbconvert to write the attachment content to the system's cron directory, potentially achieving code execution. The attacker controls both the file path and the file contents through the attachment data.
Detection Methods for CVE-2026-39377
Indicators of Compromise
- Jupyter notebook files containing cell attachments with path traversal sequences (../, ..\\, or absolute paths) in filenames
- Unexpected file modifications or creations outside normal nbconvert output directories
- Log entries showing nbconvert processing notebooks with suspicious attachment names
- Files appearing in sensitive system directories that correlate with nbconvert execution times
Detection Strategies
- Monitor file system activity during nbconvert execution for writes outside expected output directories
- Implement file integrity monitoring on critical system directories and configuration files
- Analyze incoming Jupyter notebook files for suspicious attachment filenames containing path traversal patterns
- Deploy endpoint detection rules that flag nbconvert processes writing to sensitive paths
Monitoring Recommendations
- Enable verbose logging for nbconvert operations in production environments
- Implement sandbox environments for processing untrusted Jupyter notebooks
- Configure SentinelOne to monitor for anomalous file write patterns associated with Python and Jupyter processes
- Establish baseline file system activity for nbconvert operations to detect deviations
How to Mitigate CVE-2026-39377
Immediate Actions Required
- Upgrade Jupyter nbconvert to version 7.17.1 or later immediately
- Audit any notebooks from untrusted sources before processing with vulnerable versions
- Implement input validation at the application layer if immediate patching is not possible
- Restrict nbconvert execution to sandboxed or containerized environments when processing external notebooks
Patch Information
Jupyter has released version 7.17.1 of nbconvert which contains the security fix for this vulnerability. The patch implements proper sanitization of attachment filenames to prevent path traversal attacks. Organizations should update their nbconvert installations using:
pip install --upgrade nbconvert>=7.17.1
For detailed information about the patch, refer to the GitHub Release Notes for v7.17.1 and the GitHub Security Advisory.
Workarounds
- Avoid processing Jupyter notebooks from untrusted sources until patching is complete
- Disable the ExtractAttachmentsPreprocessor if attachment extraction functionality is not required
- Run nbconvert in a containerized environment with restricted filesystem access
- Implement a pre-processing step that validates attachment filenames before passing notebooks to nbconvert
# Example: Run nbconvert in restricted container environment
docker run --rm -v $(pwd)/notebooks:/notebooks:ro \
-v $(pwd)/output:/output \
--read-only \
jupyter/nbconvert:7.17.1 \
jupyter nbconvert --to html /notebooks/input.ipynb --output-dir=/output
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
