2459951 – (CVE-2026-39377) CVE-2026-39377 nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames

Bug 2459951 (CVE-2026-39377) - CVE-2026-39377 nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames

Summary: CVE-2026-39377 nbconvert: nbconvert: Arbitrary file write via crafted Jupyter...

Keywords:
Status:	NEW
Alias:	CVE-2026-39377
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-21 02:01 UTC by OSIDB Bzimport
Modified:	2026-04-21 13:53 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-21 02:01:56 UTC

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.

Note You need to log in before you can comment on or make changes to this bug.