Description
Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal.
Published: 2026-05-07
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing input validation in the file upload endpoint of Open Notebook v1.8.3, allowing an attacker to craft a request that causes the application to write or overwrite arbitrary files on the Docker container. This enables the modification of critical system files or the deployment of malicious binaries, potentially compromising confidentiality, integrity, and availability of the container and its host. The weakness is classified as CWE‑20, Input Validation. No mention of privilege escalation limits the attack scope to the container’s user privileges, but given the ability to write system files, it could lead to a full compromise if the container user is root.

Affected Systems

The affected product is Open Notebook. The vulnerable instance is the publicly exposed web application that accepts file uploads, running inside Docker. No specific version range is listed beyond v1.8.3, so any deployment of that version or earlier hosts the flaw.

Risk and Exploitability

The CVSS base score of 7 indicates a medium-to-high severity. The EPSS score is not available, so the probability of exploitation is unknown but the ability to write files with the container’s privileges suggests a high potential impact if the flaw is known to a threat actor. The vulnerability is not currently listed in CISA KEV, but it could be leveraged by attackers who discover or publish the path traversal vector. Attacks would likely be conducted remotely via the web interface, making this a serious threat for externally exposed deployments.

Generated by OpenCVE AI on May 7, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open Notebook to the latest version that includes a file upload validation fix
  • Disable or remove the file upload feature if it is not required for business operations
  • Implement strict directory restrictions and input sanitization for any remaining upload processes
  • Run the Docker container with the least privileges necessary and consider mounting the file system as read‑only for non‑essential directories

Generated by OpenCVE AI on May 7, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 11:00:00 +0000

Type Values Removed Values Added
Description Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal.
Title Arbitrary File Write Through Path Traversal
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-07T11:35:18.521Z

Reserved: 2026-03-23T12:53:47.474Z

Link: CVE-2026-33588

cve-icon Vulnrichment

Updated: 2026-05-07T11:35:15.086Z

cve-icon NVD

Status : Received

Published: 2026-05-07T11:16:01.020

Modified: 2026-05-07T11:16:01.020

Link: CVE-2026-33588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T12:30:29Z

Weaknesses