CVE-2026-5422

A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the get os path() function within jupyter server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator, allowing sibling directories with names starting with the same prefix as root dir to bypass the check. Additionally, the to os path() function in utils.py does not strip ".." from path parts, enabling traversal sequences to bypass the vulnerable check. This vulnerability can lead to unauthorized read/write access to files in sibling directories, potentially exposing sensitive data in shared hosting environments.