CVE-2026-33589 HIGH

CVE-2026-33589: Arbitrary File Read via Local File Inclusion (LFI)

Vendor Open Notebook
Product Open Notebook
Weakness CWE-20 · Input validation
Published May 7, 2026
Last update May 7, 2026

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal.

Key dates

02Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated