
PEACH
Un cadre d’isolation des locataires
CVE-2026-54528 is a case-sensitivity bypass vulnerability in the jupyterlab-git JupyterLab extension that allows authenticated users to circumvent administrator-configured excluded_paths access controls on case-insensitive filesystems. The flaw affects jupyterlab-git versions up to and including 0.53.0 and was published on June 18–19, 2026, with a patch released in version 0.54.0. It carries a CVSS v3.1 base score of 7.1 (High) (GitHub Advisory, jupyterlab-git Advisory).
The root cause is the use of fnmatch.fnmatchcase() in GitHandler.prepare() (jupyterlab_git/handlers.py:91) to enforce the excluded_paths security control (CWE-178: Improper Handling of Case Sensitivity). Unlike fnmatch.fnmatch(), which normalizes paths via os.path.normcase() on case-insensitive platforms, fnmatchcase() is unconditionally case-sensitive — meaning a pattern like /project/secrets will block that exact string but not /project/Secrets. On macOS APFS and Windows NTFS, both paths resolve to the same filesystem location, so the downstream url2localpath() function successfully accesses the excluded directory after the check is bypassed. An attacker simply varies the case of one or more path segments in their HTTP request to evade the exclusion check entirely (GitHub Advisory).
A successfully exploited vulnerability allows an authenticated JupyterLab user to read file content at any git ref via the /content endpoint, view working tree files in excluded directories, inspect git status, logs, and diffs on excluded paths, and enumerate commits touching excluded files. This primarily affects confidentiality (rated High), with a low integrity impact, and no availability impact. Sensitive data such as credentials, API keys, or proprietary source code stored in administrator-excluded directories can be exfiltrated by any user with a valid session on the affected Jupyter server (jupyterlab-git Advisory).
jupyterlab-git ≤ 0.53.0 on macOS (APFS) or Windows (NTFS) with excluded_paths configured (e.g., c.JupyterLabGit.excluded_paths = ["/project/secrets", "/project/secrets/*"]).POST /git/project/secrets/status with Authorization: token <TOKEN> — expect HTTP 404.POST /git/project/Secrets/status — the fnmatchcase() check fails to match, returning HTTP 200./content endpoint with the case-varied path to read files at any git ref:POST /git/project/Secrets/content
{"filename": "./cred.txt", "reference": {"git": "HEAD"}}The server returns the file content, including any secrets committed to the repository (GitHub Advisory, jupyterlab-git Advisory).
/git/<path>/status, /git/<path>/content, /git/<path>/log, or /git/<path>/diff where <path> contains mixed-case directory names that correspond to configured excluded_paths (e.g., /git/project/Secrets/ vs. /git/project/secrets/)./content endpoints with {"reference": {"git": "HEAD"}} or other git refs targeting directories matching excluded_paths patterns (case-insensitively).Upgrade jupyterlab-git to version 0.54.0, which resolves the issue by replacing fnmatch.fnmatchcase() with a case-normalized comparison. The fix involves replacing the vulnerable check with fnmatch.fnmatch(path.lower(), excluded_path.lower()) or applying os.path.normcase() to both operands before comparison. As an interim workaround on affected systems, administrators can restrict Jupyter server access to trusted users only, or avoid running jupyterlab-git on case-insensitive filesystems (macOS APFS, Windows NTFS) until the patch is applied. Install the patched version with: pip install 'jupyterlab-git>=0.54.0' (GitHub Advisory, jupyterlab-git Advisory).
The advisory was published by jtpio (a jupyterlab maintainer) on June 18, 2026, with credit to reporter AAtomical and remediation reviewer Yann-P. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (jupyterlab-git Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."