CVE-2026-39377: nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames

April 21, 2026

nbconvert allows arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension.

References

github.com/advisories/GHSA-4c99-qj7h-p3vg
github.com/jupyter/nbconvert
github.com/jupyter/nbconvert/releases/tag/v7.17.1
github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg
nvd.nist.gov/vuln/detail/CVE-2026-39377

Code Behaviors & Features

Detect and mitigate CVE-2026-39377 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →