CVE-2026-39377 MEDIUM

CVE-2026-39377: nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames

Vendor Jupyter
Product nbconvert
Weakness CWE-22 · Path traversal
Published April 21, 2026
Last update April 21, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated