DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39378: CVE-2026-39378: Arbitrary File Read via Path Traversal in Jupyter nbconvert

#security #cve #cybersecurity

CVE-2026-39378: Arbitrary File Read via Path Traversal in Jupyter nbconvert

Vulnerability ID: CVE-2026-39378
CVSS Score: 6.5
Published: 2026-04-21

Jupyter nbconvert versions 6.5 through 7.17.0 contain a path traversal vulnerability. When the HTMLExporter.embed_images configuration is enabled, the markdown renderer improperly resolves local image paths. This flaw allows an attacker to read arbitrary files from the host system by providing a maliciously crafted Jupyter Notebook containing path traversal sequences in image references.

TL;DR

A path traversal vulnerability in Jupyter nbconvert allows arbitrary local file exfiltration. Exploitation requires user interaction to convert a malicious notebook to HTML with the HTMLExporter.embed_images setting enabled.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 / CWE-73
  • Attack Vector: Network
  • CVSS Score: 6.5
  • EPSS Score: 0.00036 (10.88%)
  • Impact: High Confidentiality
  • Exploit Status: Proof of Concept available
  • KEV Status: Not Listed

Affected Systems

  • Jupyter nbconvert
  • Jupyter Notebook ecosystem
  • nbconvert: >= 6.5, < 7.17.1 (Fixed in: 7.17.1)

Code Analysis

Commit: 0e6b8cc

Fix path traversal in markdown image embedding by adding os.path.abspath boundary checks.

Commit: ba5e5cd

Fix path traversal in ExtractAttachmentsPreprocessor by flattening attachment filenames with os.path.basename.

Mitigation Strategies

  • Upgrade nbconvert to version 7.17.1 or higher.
  • Disable the HTMLExporter.embed_images configuration setting.
  • Audit automated conversion pipelines to ensure they do not explicitly enable image embedding.

Remediation Steps:

  1. Identify all environments and container images utilizing the Jupyter nbconvert library.
  2. Execute pip install --upgrade nbconvert to install version 7.17.1.
  3. Verify the installed version via jupyter nbconvert --version.
  4. Review jupyter_nbconvert_config.py files to ensure c.HTMLExporter.embed_images is not set to True if running an older version.

References

Read the full report for CVE-2026-39378 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)