Open Notebook RCE via SSTI (CVE-2026-33587)

Patch now - CVE-2026-33587 is a critical unauthenticated remote code execution in Open Notebook v1.8.3 that lets any application user execute arbitrary OS commands on the underlying Docker container via a server-side template injection (SSTI) attack. A fix has been released in Open Notebook v1.8.4 - upgrade immediately.

Overview

CVE-2026-33587 affects Open Notebook version 1.8.3, an open-source interactive computing platform. The vulnerability lies in the lack of input sanitization for user-created data transformations. By crafting a malicious transformation template, an unauthenticated attacker can inject Jinja2 or similar template expressions that the server processes unsafely. This Server-Side Template Injection (SSTI) allows the attacker to execute arbitrary Python code, which in turn can be used to run shell commands on the Docker container hosting the application.

With a CVSS score of 10.0 (Critical), this is the most severe classification possible. The attack vector is over the network, requires no authentication, no user interaction, and low attack complexity. An attacker only needs the ability to submit a transformation request to the notebook server to achieve full code execution.

Impact

A successful exploitation grants the attacker complete control over the Open Notebook Docker container. The attacker can:

• Read, modify, or delete any notebook files and data accessible within the container.
• Install backdoors, exfiltrate data, or pivot to other systems accessible from the container.
• Disrupt service availability by crashing the container or consuming its resources.

The low EPSS score (0.0%) indicates exploitation has not been observed in the wild at this time, but the low complexity of the attack means that public proof-of-concept code could quickly change this risk profile. Organizations running Open Notebook should treat this as a preemptive emergency.

Affected Versions

• Open Notebook v1.8.3 (all deployments using Docker containers)

Remediation

Patch: Upgrade to Open Notebook v1.8.4 or later. The vendor has addressed the input validation gap in this release. Verification: After upgrading, confirm the application no longer accepts raw template strings in transformation inputs without sanitization.

For deployments that cannot immediately patch:

• Restrict network access to the Open Notebook service to trusted IP ranges only.
• Apply a Web Application Firewall (WAF) rule set to block SSTI payload patterns (e.g., \{\{.*\}\}, \{\% .* \%\} in transformation parameters).
• Monitor system logs for unexpected Python process execution or shell commands originating from the notebook process.

Security Insight

CVE-2026-33587 is a textbook example of how dynamic code execution features in data analysis tools become attack surfaces when input validation is an afterthought. Similar SSTI vulnerabilities in platforms like Jupyter and Apache Airflow have underscored that user-supplied templates must always be sandboxed or sanitized. The CVSS 10.0 rating reflects a fundamental security design gap - the absence of any authentication requirement for a feature that directly invokes an interpreter. Vendors building compute platforms that expose custom transformation capabilities should treat SSTI as a first-class threat in their threat model, not an edge case.

For the latest data breach reports and cybersecurity news, visit breach reports and security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs