Technical description
A path traversal vulnerability in Jupyter Server version 2.17.0 allows an authenticated remote attacker with low privileges to read from and write to files in sibling directories outside the configured root directory. The root cause is a flawed boundary check in `_get_os_path()` (uses `startswith(root)` without appending a trailing separator, so sibling directories sharing the same prefix bypass the check) and failure to strip `..` path parts in `to_os_path()`. CVSS 3.x: 6.8 Medium. Disclosed via Huntr, modified by CISA-ADP on June 2, 2026.
Attack vector
An attacker with authenticated low-privilege access to a shared Jupyter Server instance crafts path traversal sequences to navigate outside the root notebook directory and access or overwrite files in sibling directories — which in shared ML environments frequently contain model artifacts, credentials, training data, experiment outputs, or other users' work.
Affected systems
Jupyter Server 2.17.0 running in shared-hosting configurations: multi-user data-science platforms, JupyterHub deployments, cloud notebook services, university research environments, and any ML pipeline where multiple users share a server with sibling-directory data stores.
Mitigation
No patch version was available at time of disclosure (NVD entry marked 'Awaiting Enrichment'). Immediate mitigations: (1) isolate Jupyter users in per-user containers with strict filesystem mounts; (2) restrict filesystem permissions so the Jupyter server process cannot access sibling directories; (3) monitor for unusual `..`-containing path requests in server access logs; (4) review all instances exposed in shared-hosting configurations and apply vendor fix when released. Track the Huntr bounty page for patch status.