Executive Summary

CVE-2026-33587 is a critical Remote Code Execution (RCE) vulnerability in the open-notebook package version 1.8.3 and earlier. It occurs due to lack of user input sanitisation in the Jinja2 template rendering used for user-created transformations. An authenticated attacker can inject malicious Jinja2 expressions that execute arbitrary Python code on the server running inside a Docker container.

This vulnerability arises from unsandboxed template rendering via the ai-prompter library, allowing attackers to run arbitrary system commands, access environment variables (including sensitive encryption keys), and read or write files within the container.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including Remote Code Execution within the Docker container hosting the application. An attacker can execute arbitrary system commands, access sensitive environment variables such as encryption keys, and read or modify any files on the container filesystem.

Such capabilities can lead to full compromise of the container environment, potentially allowing attackers to escalate privileges, steal sensitive data, disrupt service availability, or use the compromised system as a pivot point for further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Server-Side Template Injection (SSTI) in Open Notebook versions 1.8.3 and earlier, allowing execution of arbitrary Python code via malicious Jinja2 expressions in user-created transformations.

To detect exploitation attempts or presence of this vulnerability, you can monitor logs for suspicious Jinja2 template expressions or unusual command executions within the Docker container running Open Notebook.

• Check application logs for suspicious template strings such as '{{cycler.__init__.__globals__.os.popen('id').read()}}' or other Jinja2 expressions.
• Within the Docker container, run commands to check for unexpected processes or commands, for example: `ps aux` or `top`.
• Use container inspection commands to look for unusual file changes or access, e.g., `docker exec <container_id> ls -la /path/to/app`.
• Monitor network traffic for unusual outbound connections from the container that might indicate command execution.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Open Notebook to version 1.8.4 or later, where the vulnerability is patched by updating the ai-prompter dependency to version 0.4.0, which uses Jinja2's SandboxedEnvironment to prevent arbitrary code execution.

Until the upgrade can be applied, restrict access to the Open Notebook application to trusted users only, as the vulnerability requires authentication.

Consider isolating the Docker container and monitoring for suspicious activity to limit potential damage.

Review and sanitize any user-created transformation inputs if possible to prevent injection of malicious templates.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code within the Docker container, potentially leading to unauthorized access to environment variables, including encryption keys, and arbitrary file read/write operations. Such unauthorized access and control over sensitive data and system integrity can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Specifically, the compromise of confidentiality, integrity, and availability of data due to this Remote Code Execution (RCE) vulnerability could lead to non-compliance with these standards, as they require safeguarding data against unauthorized access and ensuring system security.

Useful 0 Not Useful 0