CVE-2026-35397— jupyter-server path traversal allows access to sibling directories sharing root_dir name prefix

jupyter-server path traversal allows access to sibling directories sharing root_dir name prefix

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory.

N/A

对路径名的限制不恰当(路径遍历)

Jupyter Server 路径遍历漏洞

Jupyter Server是Jupyter组织的一款用于为Jupyter Web应用提供后端服务的应用软件。 Jupyter Server 2.17.0及之前版本存在路径遍历漏洞，该漏洞源于REST API中的路径遍历问题，可能导致经过身份验证的用户逃离配置的root_dir并访问名称以root_dir前缀开头的同级目录。以下版本受到影响：2.17.0及之前版本。

N/A

N/A