CVE-2026-33589 PUBLISHED

Arbitrary File Read via Local File Inclusion (LFI)

Assigner: ENISA
Reserved: 23.03.2026 Published: 07.05.2026 Updated: 07.05.2026

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Open Notebook
Product	Open Notebook
Versions	Default: unaffected affected from 0 to 1.8.3 (incl.)

Credits

CERT-EU finder

References

https://github.com/lfnovo/open-notebook/security/advisories/GHSA-842v-h4cj-r646

Problem Types

CWE-20 Improper input validation CWE

Impacts

CAPEC-76 Manipulating Web Input to File System Calls
CAPEC-545 Pull Data from System Resources