{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/jupyter-server--2.17.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Jupyter Server (\u003c= 2.17.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","privilege-escalation","jupyter"],"_cs_type":"advisory","_cs_vendors":["Jupyter"],"content_html":"\u003cp\u003eJupyter Server, a widely used platform for interactive computing, has a path traversal vulnerability affecting versions 2.17.0 and earlier. This flaw stems from an inadequate \u003ccode\u003estartswith()\u003c/code\u003e check on the root directory, which fails to properly restrict access to sibling directories. An authenticated user can exploit this by crafting specific API requests to access content outside of the designated \u003ccode\u003eroot_dir\u003c/code\u003e. This vulnerability is especially dangerous in multi-tenant server deployments using predictable naming schemes, such as \u003ccode\u003euser1\u003c/code\u003e, \u003ccode\u003euser2\u003c/code\u003e, etc., where one user could potentially access and modify files belonging to other users. The vulnerability was reported on May 5, 2026, and is identified as CVE-2026-35397. Defenders should prioritize patching and consider workarounds to prevent unauthorized access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into a vulnerable Jupyter Server instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eroot_dir\u003c/code\u003e of their Jupyter environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a sibling directory that shares a prefix with the \u003ccode\u003eroot_dir\u003c/code\u003e (e.g., if \u003ccode\u003eroot_dir\u003c/code\u003e is \u003ccode\u003etest\u003c/code\u003e, a sibling directory might be \u003ccode\u003etesttest\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/api/contents/\u003c/code\u003e endpoint, using a path traversal sequence (\u003ccode\u003e%2e%2e/\u003c/code\u003e) followed by the sibling directory and the target file. For example: \u003ccode\u003e/api/contents/%2e%2e/testtest/secret.txt/checkpoints\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Jupyter Server\u0026rsquo;s insufficient \u003ccode\u003estartswith()\u003c/code\u003e check allows the request to proceed without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the target file within the sibling directory.\u003c/li\u003e\n\u003cli\u003eThe attacker can then read, write, or delete the accessed file, potentially escalating privileges or compromising sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to compromise other user accounts or the Jupyter Server instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read, write, and delete files in directories sibling to the Jupyter Server\u0026rsquo;s \u003ccode\u003eroot_dir\u003c/code\u003e. This can lead to privilege escalation, especially in multi-tenant environments. For instance, in systems with predictable naming schemes like \u003ccode\u003euser1\u003c/code\u003e, \u003ccode\u003euser2\u003c/code\u003e, \u0026hellip;, \u003ccode\u003euser10\u003c/code\u003e, an attacker with access to \u003ccode\u003euser1\u003c/code\u003e could modify files belonging to \u003ccode\u003euser10\u003c/code\u003e - \u003ccode\u003euser19\u003c/code\u003e. The severity of this issue is heightened in scenarios where users can choose their folder names, as an attacker selecting a single-letter username could potentially compromise a significant number of sibling directories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Jupyter Server version 2.17.1 or later to patch CVE-2026-35397.\u003c/li\u003e\n\u003cli\u003eImplement stricter validation and sanitization of user inputs, specifically for file paths, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Jupyter Server Path Traversal Attempt\u0026rdquo; to monitor for suspicious API requests containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eReview and revise folder naming schemes to avoid overlapping names in multi-tenant environments, as suggested in the advisory workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T16:49:10Z","date_published":"2026-05-05T16:49:10Z","id":"/briefs/2024-01-jupyter-path-traversal/","summary":"Jupyter Server version 2.17.0 and earlier is vulnerable to a path traversal vulnerability due to an insufficient check on the root directory, allowing an authenticated user to access, read, write, and delete content outside the server's root directory in sibling directories that share the same prefix as the root directory, potentially leading to privilege escalation in multi-tenant environments.","title":"Jupyter Server Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-jupyter-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["jupyter-server (\u003c= 2.17.0)"],"_cs_severities":["high"],"_cs_tags":["cors","origin-validation","regex","web-application"],"_cs_type":"advisory","_cs_vendors":["Jupyter"],"content_html":"\u003cp\u003eJupyter Server, a web-based interactive development environment, is susceptible to a CORS (Cross-Origin Resource Sharing) bypass vulnerability. This flaw arises from the server\u0026rsquo;s reliance on the \u003ccode\u003ere.match()\u003c/code\u003e function in Python\u0026rsquo;s regular expression library for validating the \u003ccode\u003eOrigin\u003c/code\u003e header against the configured \u003ccode\u003eallow_origin_pat\u003c/code\u003e. The \u003ccode\u003ere.match()\u003c/code\u003e function, unlike \u003ccode\u003ere.fullmatch()\u003c/code\u003e, only anchors the regex at the beginning of the string, not the end. Consequently, an attacker can craft a malicious domain, such as \u003ccode\u003ehttp://trusted.example.com.evil.com/\u003c/code\u003e, which will pass the regex validation if the \u003ccode\u003eallow_origin_pat\u003c/code\u003e is intended to match \u003ccode\u003etrusted.example.com\u003c/code\u003e. This vulnerability impacts Jupyter Server versions 2.17.0 and prior. The fix was implemented in pull request #603 and patched in commits 057869a327c46730afede3eab0ca2d2e3e74acea and 49b34392feaa97735b3b777e3baf8f22f2a14ed8. Successful exploitation allows an attacker to bypass CORS restrictions, potentially leading to unauthorized data access or actions on behalf of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Jupyter Server instance running version 2.17.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious website with a domain name designed to bypass the \u003ccode\u003eallow_origin_pat\u003c/code\u003e regex. For instance, if the intended origin is \u003ccode\u003etrusted.example.com\u003c/code\u003e, the attacker uses \u003ccode\u003etrusted.example.com.evil.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA victim user visits the attacker\u0026rsquo;s malicious website in their browser.\u003c/li\u003e\n\u003cli\u003eThe malicious website sends a cross-origin HTTP request to the vulnerable Jupyter Server. The \u003ccode\u003eOrigin\u003c/code\u003e header in the request is set to the attacker-controlled domain (\u003ccode\u003etrusted.example.com.evil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Jupyter Server receives the request and validates the \u003ccode\u003eOrigin\u003c/code\u003e header against the \u003ccode\u003eallow_origin_pat\u003c/code\u003e configuration using \u003ccode\u003ere.match()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the behavior of \u003ccode\u003ere.match()\u003c/code\u003e, the attacker\u0026rsquo;s origin passes the validation, as the regex only checks for a match at the beginning of the string.\u003c/li\u003e\n\u003cli\u003eThe Jupyter Server processes the cross-origin request, effectively bypassing the intended CORS restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially perform unauthorized actions or access sensitive data within the Jupyter Server, as if the request originated from a trusted source.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass CORS restrictions on vulnerable Jupyter Server instances. This could lead to unauthorized access to sensitive data, modification of user settings, or execution of arbitrary code within the Jupyter environment, all performed under the guise of a legitimate user. The number of affected instances depends on the prevalence of vulnerable Jupyter Server versions and the use of misconfigured \u003ccode\u003eallow_origin_pat\u003c/code\u003e settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Jupyter Server to a version greater than 2.17.0, which includes the fix for CVE-2026-40110.\u003c/li\u003e\n\u003cli\u003eAs a workaround, wrap your \u003ccode\u003eallow_origin_pat\u003c/code\u003e configuration value with \u003ccode\u003e^\u003c/code\u003e and \u003ccode\u003e$\u003c/code\u003e to ensure the regex matches the entire string, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with \u003ccode\u003eOrigin\u003c/code\u003e headers matching the pattern \u003ccode\u003etrusted.example.com.*\u003c/code\u003e (adjusting the \u003ccode\u003etrusted.example.com\u003c/code\u003e to your actual configured pattern) to detect potential exploitation attempts. Implement this detection using the provided Sigma rule targeting webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-jupyter-cors-bypass/","summary":"Jupyter Server versions 2.17.0 and earlier are vulnerable to a CORS origin validation bypass due to improper use of `re.match()` in validating the Origin header against the `allow_origin_pat` configuration, allowing attackers to bypass CORS restrictions.","title":"Jupyter Server CORS Origin Validation Bypass via Regex","url":"https://feed.craftedsignal.io/briefs/2024-01-jupyter-cors-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Jupyter Server (\u003c= 2.17.0)","version":"https://jsonfeed.org/version/1.1"}