VYPR
← All advisories
Critical severity9.3NVD Advisory· Published Jun 18, 2026· Updated Jun 18, 2026

Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP

CVE-2026-44727

Description

The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy.

Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.

Impact

An authenticated victim who navigates to /nbconvert/html/ containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.

Patches

Fixed in v2.20.0, commit 6cbee8d

Workarounds

For deployments where editing the installed jupyter_server is impractical (containerized builds, read-only images), adding this to jupyter_server_config.py has the same effect as the patch above without touching source files:

import jupyter_server.nbconvert.handlers as _nb

def _csp(self):
    return super(type(self), self).content_security_policy + "; sandbox allow-scripts"

_nb.NbconvertFileHandler.content_security_policy = property(_csp)
_nb.NbconvertPostHandler.content_security_policy = property(_csp)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing sandbox directive in Content-Security-Policy for nbconvert-served HTML pages allows stored XSS via unsanitized notebook output."

Attack vector

An authenticated attacker uploads a notebook containing malicious HTML/JavaScript in a `display_data` output cell. When a victim navigates to `/nbconvert/html/<path>` for that notebook, the server renders the HTML under the Jupyter origin without a sandbox CSP directive [ref_id=1]. Because `nbconvert.HTMLExporter` does not sanitize output by default, the attacker's script executes in the victim's session, enabling token exfiltration, full `/api/*` authority, and kernel RCE.

What the fix does

The patch adds a `content_security_policy` property to both `NbconvertFileHandler` and `NbconvertPostHandler` that appends `; sandbox allow-scripts` to the existing CSP header [patch_id=6470628]. This confines any JavaScript in the rendered notebook to a unique origin, preventing it from interacting with the Jupyter server. The behavior is controlled by the new `ServerApp.nbconvert_csp_sandbox` configuration option, which defaults to `True`. The commit also adds tests verifying the CSP header is present when the option is enabled and absent when disabled.

Preconditions

  • authAttacker must have an authenticated Jupyter session to upload a notebook
  • authVictim must be authenticated and navigate to the nbconvert HTML endpoint for the attacker's notebook
  • configThe server must be running a version prior to the fix (before v2.20.0)

Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.