Description
JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded directories. This issue is fixed in version 0.54.0.
Published: 2026-07-08
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from the use of fnmatch.fnmatchcase to enforce excluded_paths in JupyterLab Git’s GitHandler.prepare. On a case‑insensitive file system an authenticated user can alter the capitalization of a URL path and bypass the exclusion, allowing them to read files that should be protected. This is a case‑sensitivity (CWE‑178) error that jeopardizes confidentiality of potentially private repository content.

Affected Systems

The vulnerability affects the jupyterlab-git extension for JupyterLab before version 0.54.0. Any installation of jupyterlab‑git 0.53.x or earlier that relies on excluded_paths is impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity of unauthorized data exposure. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user inside a JupyterLab instance on a case‑insensitive file system altering URL path casing to read excluded directories. The vulnerability can be exploited with minimal credentials, so careful monitoring and prompt patching are recommended.

Generated by OpenCVE AI on July 9, 2026 at 03:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jupyterlab‑git to version 0.54.0 or later to apply the official fix.
  • If an immediate upgrade is not feasible, run the JupyterLab server on a case‑sensitive file system or implement user‑level access controls that prevent traversal into excluded directories.
  • Audit JupyterLab logs for repeated attempts to access excluded paths and enforce stricter role‑based permissions on repository content.

Generated by OpenCVE AI on July 9, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-436q-jwfr-rm2h jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlab_git/handlers.py to enforce excluded_paths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded directories. This issue is fixed in version 0.54.0.
Title jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
Weaknesses CWE-178
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T21:04:18.613Z

Reserved: 2026-06-15T18:40:01.651Z

Link: CVE-2026-54528

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity