CVE-2026-54528

Source
https://cve.org/CVERecord?id=CVE-2026-54528
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54528.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54528
Aliases
Published
2026-07-08T21:04:18.613Z
Modified
2026-07-13T16:42:59.177387872Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
Details

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase() in GitHandler.prepare() in jupyterlabgit/handlers.py to enforce excludedpaths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded directories. This issue is fixed in version 0.54.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54528.json"
}
References

Affected packages

Git / github.com/jupyterlab/jupyterlab-git

Affected ranges

Type
GIT
Repo
https://github.com/jupyterlab/jupyterlab-git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.54.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.21.0
v0.21.0a0
v0.21.0a1
v0.21.0rc0
v0.21.1
v0.22.0
v0.22.1
v0.22.2
v0.22.3
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.3.0
v0.30.0
v0.30.0b1
v0.30.0b1.post1
v0.30.0b2
v0.30.0b3
v0.30.1
v0.31.0
v0.31.0a0
v0.32.0
v0.32.1
v0.32.2
v0.33.0
v0.34.0
v0.34.1
v0.34.2
v0.35.0
v0.36.0
v0.37.0
v0.37.1
v0.38.0
v0.39.0
v0.39.1
v0.39.2
v0.39.3
v0.39.3.post1
v0.4.0
v0.4.1
v0.4.2
v0.4.4
v0.40.0
v0.40.1
v0.41.0
v0.42.0
v0.42.0rc0
v0.43.0
v0.44.0
v0.5.0
v0.50.0
v0.50.0a0
v0.50.0a1
v0.50.0a2
v0.50.0rc0
v0.50.1
v0.50.2
v0.51.0
v0.51.1
v0.51.2
v0.51.3
v0.51.4
v0.52.0
v0.53.0
v0.53.0a0
v0.53.0a1
v0.54.0a0
v0.54.0a1
v0.6.0
v0.6.1
v0.6.1-alpha.0
v0.7.1
v0.8
v0.8.1
v0.8.2
v0.9.0
v0.9.0rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54528.json"