CVE-2026-54528
Python Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54528 is a case-sensitivity bypass vulnerability in the jupyterlab-git JupyterLab extension that allows authenticated users to circumvent administrator-configured excluded_paths access controls on case-insensitive filesystems. The flaw affects jupyterlab-git versions up to and including 0.53.0 and was published on June 18–19, 2026, with a patch released in version 0.54.0. It carries a CVSS v3.1 base score of 7.1 (High) (GitHub Advisory, jupyterlab-git Advisory).

Détails techniques

The root cause is the use of fnmatch.fnmatchcase() in GitHandler.prepare() (jupyterlab_git/handlers.py:91) to enforce the excluded_paths security control (CWE-178: Improper Handling of Case Sensitivity). Unlike fnmatch.fnmatch(), which normalizes paths via os.path.normcase() on case-insensitive platforms, fnmatchcase() is unconditionally case-sensitive — meaning a pattern like /project/secrets will block that exact string but not /project/Secrets. On macOS APFS and Windows NTFS, both paths resolve to the same filesystem location, so the downstream url2localpath() function successfully accesses the excluded directory after the check is bypassed. An attacker simply varies the case of one or more path segments in their HTTP request to evade the exclusion check entirely (GitHub Advisory).

Impact

A successfully exploited vulnerability allows an authenticated JupyterLab user to read file content at any git ref via the /content endpoint, view working tree files in excluded directories, inspect git status, logs, and diffs on excluded paths, and enumerate commits touching excluded files. This primarily affects confidentiality (rated High), with a low integrity impact, and no availability impact. Sensitive data such as credentials, API keys, or proprietary source code stored in administrator-excluded directories can be exfiltrated by any user with a valid session on the affected Jupyter server (jupyterlab-git Advisory).

Étapes d’exploitation

  1. Identify target: Locate a JupyterLab instance running jupyterlab-git ≤ 0.53.0 on macOS (APFS) or Windows (NTFS) with excluded_paths configured (e.g., c.JupyterLabGit.excluded_paths = ["/project/secrets", "/project/secrets/*"]).
  2. Authenticate: Obtain a valid session token or credentials for the Jupyter server (low-privilege user access is sufficient).
  3. Confirm exclusion is active: Send a normal POST request to the excluded path: POST /git/project/secrets/status with Authorization: token <TOKEN> — expect HTTP 404.
  4. Bypass via case variation: Resend the request with a case-varied path segment: POST /git/project/Secrets/status — the fnmatchcase() check fails to match, returning HTTP 200.
  5. Exfiltrate file content: POST to the /content endpoint with the case-varied path to read files at any git ref:
POST /git/project/Secrets/content
{"filename": "./cred.txt", "reference": {"git": "HEAD"}}

The server returns the file content, including any secrets committed to the repository (GitHub Advisory, jupyterlab-git Advisory).

Indicateurs de compromis

  • Network: HTTP POST requests to /git/<path>/status, /git/<path>/content, /git/<path>/log, or /git/<path>/diff where <path> contains mixed-case directory names that correspond to configured excluded_paths (e.g., /git/project/Secrets/ vs. /git/project/secrets/).
  • Logs: Jupyter server access logs showing HTTP 200 responses to requests targeting case-varied versions of excluded paths, particularly from the same authenticated user who also received HTTP 404 responses for the lowercase equivalent paths.
  • Logs: Repeated access to /content endpoints with {"reference": {"git": "HEAD"}} or other git refs targeting directories matching excluded_paths patterns (case-insensitively).
  • Behavioral: A single authenticated user session alternating between blocked (404) and successful (200) requests to semantically identical paths differing only in case (GitHub Advisory).

Atténuation et solutions de contournement

Upgrade jupyterlab-git to version 0.54.0, which resolves the issue by replacing fnmatch.fnmatchcase() with a case-normalized comparison. The fix involves replacing the vulnerable check with fnmatch.fnmatch(path.lower(), excluded_path.lower()) or applying os.path.normcase() to both operands before comparison. As an interim workaround on affected systems, administrators can restrict Jupyter server access to trusted users only, or avoid running jupyterlab-git on case-insensitive filesystems (macOS APFS, Windows NTFS) until the patch is applied. Install the patched version with: pip install 'jupyterlab-git>=0.54.0' (GitHub Advisory, jupyterlab-git Advisory).

Réactions de la communauté

The advisory was published by jtpio (a jupyterlab maintainer) on June 18, 2026, with credit to reporter AAtomical and remediation reviewer Yann-P. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (jupyterlab-git Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Python Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git
NonOuiJul 08, 2026
CVE-2026-55206HIGH8.7
  • Python logoPython
  • py7zr
NonOuiJul 08, 2026
CVE-2026-55195HIGH8.7
  • Python logoPython
  • python313-py7zr
NonOuiJul 08, 2026
CVE-2026-54499HIGH7.5
  • Python logoPython
  • stanza
NonOuiJul 08, 2026
CVE-2026-54528HIGH7.1
  • Python logoPython
  • jupyterlab-git
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités