Description
A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-05
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the create_notebook/read_notebook/edit_cell/add_cell functions of python‑notebook‑mcp’s server.py file, allowing an attacker to manipulate file paths and trigger a path traversal flaw. This flaw can be triggered remotely and may enable reading or writing arbitrary files on the host, potentially facilitating the execution of malicious code or theft of sensitive data. The weakness is classed as CWE‑22. The product uses a rolling release model, so all commits up to a05a2328 are affected until a fix is released.

Affected Systems

All releases of the UsamaK98:python‑notebook‑mcp project up to commit a05a2328 are vulnerable. The project lacks a specific versioned release, so any installation using the current rolling release is at risk.

Risk and Exploitability

The CVSS score of 6.9 places the flaw in the high‑severity range. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but published exploit code exists, indicating a realistic attack window. Based on the description, it is inferred that the exploit proceeds by sending a crafted add_cell request that manipulates the path component; once the server resolves the path, it can access files outside the intended directory, making the risk substantial for exposed deployments.

Generated by OpenCVE AI on May 5, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the python‑notebook‑mcp package to a commit that resolves the path‑traversal bug; verify the commit hash once a fix is released.
  • If an immediate upgrade is impossible, restrict network access to the add_cell endpoint or disable the function altogether to block unauthenticated use.
  • Implement input sanitisation in your deployment to normalise file paths before they are processed, thereby mitigating traversal attempts.

Generated by OpenCVE AI on May 5, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title UsamaK98 python-notebook-mcp server.py add_cell path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T03:45:14.085Z

Reserved: 2026-05-04T21:22:13.227Z

Link: CVE-2026-7810

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T04:16:19.960

Modified: 2026-05-05T04:16:19.960

Link: CVE-2026-7810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T06:00:10Z

Weaknesses