PYSEC-2026-1286

Vulnerability from pysec - Published: 2026-07-07 16:02 - Updated: 2026-07-07 17:23
VLAI
Details

Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.

Impacted products
Name purl
dagster pkg:pypi/dagster

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dagster",
        "purl": "pkg:pypi/dagster"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0rc1",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.9",
        "0.10.0",
        "0.10.0rc0",
        "0.10.1",
        "0.10.1rc0",
        "0.10.2",
        "0.10.2rc0",
        "0.10.3",
        "0.10.3rc0",
        "0.10.4",
        "0.10.4rc0",
        "0.10.5",
        "0.10.5rc0",
        "0.10.6",
        "0.10.6rc0",
        "0.10.7",
        "0.10.7rc0",
        "0.10.8",
        "0.10.8rc0",
        "0.10.9",
        "0.11.0",
        "0.11.0rc0",
        "0.11.1",
        "0.11.10",
        "0.11.10rc0",
        "0.11.10rc1",
        "0.11.10rc2",
        "0.11.11",
        "0.11.11rc1",
        "0.11.11rc5",
        "0.11.11rc7",
        "0.11.12",
        "0.11.12rc0",
        "0.11.12rc2",
        "0.11.12rc3",
        "0.11.13",
        "0.11.13rc1",
        "0.11.13rc2",
        "0.11.13rc3",
        "0.11.13rc5",
        "0.11.14",
        "0.11.14rc0",
        "0.11.14rc1",
        "0.11.14rc2",
        "0.11.14rc3",
        "0.11.14rc4",
        "0.11.14rc5",
        "0.11.14rc6",
        "0.11.14rc7",
        "0.11.14rc8",
        "0.11.15",
        "0.11.15rc0",
        "0.11.15rc1",
        "0.11.16",
        "0.11.16rc10",
        "0.11.16rc18",
        "0.11.1rc0",
        "0.11.2",
        "0.11.2rc0",
        "0.11.3",
        "0.11.3rc0",
        "0.11.4",
        "0.11.4rc0",
        "0.11.5",
        "0.11.5rc0",
        "0.11.5rc1",
        "0.11.6",
        "0.11.6rc10",
        "0.11.6rc11",
        "0.11.6rc13",
        "0.11.6rc14",
        "0.11.6rc15",
        "0.11.6rc16",
        "0.11.6rc17",
        "0.11.6rc18",
        "0.11.6rc19",
        "0.11.6rc20",
        "0.11.6rc21",
        "0.11.6rc22",
        "0.11.6rc23",
        "0.11.6rc24",
        "0.11.6rc25",
        "0.11.6rc26",
        "0.11.6rc27",
        "0.11.6rc28",
        "0.11.6rc29",
        "0.11.6rc30",
        "0.11.6rc31",
        "0.11.6rc32",
        "0.11.6rc5",
        "0.11.6rc7",
        "0.11.6rc8",
        "0.11.6rc9",
        "0.11.7",
        "0.11.7rc1",
        "0.11.7rc10",
        "0.11.7rc13",
        "0.11.7rc14",
        "0.11.7rc2",
        "0.11.7rc3",
        "0.11.7rc4",
        "0.11.7rc6",
        "0.11.7rc7",
        "0.11.7rc8",
        "0.11.7rc9",
        "0.11.8",
        "0.11.8rc3",
        "0.11.8rc4",
        "0.11.8rc5",
        "0.11.9",
        "0.11.9rc10",
        "0.11.9rc11",
        "0.11.9rc12",
        "0.11.9rc6",
        "0.11.9rc7",
        "0.11.9rc8",
        "0.12.0",
        "0.12.0rc0",
        "0.12.1",
        "0.12.10",
        "0.12.10rc0",
        "0.12.10rc1",
        "0.12.11",
        "0.12.11rc0",
        "0.12.12",
        "0.12.12rc0",
        "0.12.13",
        "0.12.13rc0",
        "0.12.14",
        "0.12.14rc0",
        "0.12.14rc1",
        "0.12.14rc2",
        "0.12.15",
        "0.12.15rc0",
        "0.12.15rc2",
        "0.12.1rc0",
        "0.12.2",
        "0.12.2rc0",
        "0.12.3",
        "0.12.3rc0",
        "0.12.3rc1",
        "0.12.4",
        "0.12.4rc0",
        "0.12.4rc1",
        "0.12.5",
        "0.12.5rc0",
        "0.12.6",
        "0.12.6rc0",
        "0.12.7",
        "0.12.7rc0",
        "0.12.8",
        "0.12.8rc0",
        "0.12.9",
        "0.12.9rc0",
        "0.12.9rc1",
        "0.12.9rc2",
        "0.13.0",
        "0.13.0rc0",
        "0.13.1",
        "0.13.10",
        "0.13.10rc0",
        "0.13.10rc1",
        "0.13.10rc2",
        "0.13.10rc3",
        "0.13.11",
        "0.13.11rc0",
        "0.13.12",
        "0.13.12rc2",
        "0.13.13",
        "0.13.13rc0",
        "0.13.14",
        "0.13.14rc0",
        "0.13.15",
        "0.13.15rc0",
        "0.13.16",
        "0.13.16rc0",
        "0.13.17",
        "0.13.17rc0",
        "0.13.18",
        "0.13.18rc0",
        "0.13.19",
        "0.13.19rc2",
        "0.13.1rc0",
        "0.13.2",
        "0.13.2rc0",
        "0.13.2rc1",
        "0.13.2rc2",
        "0.13.3",
        "0.13.3rc0",
        "0.13.4",
        "0.13.4rc0",
        "0.13.5",
        "0.13.5rc0",
        "0.13.6",
        "0.13.6rc0",
        "0.13.7",
        "0.13.7rc0",
        "0.13.8",
        "0.13.8rc0",
        "0.13.9",
        "0.13.9rc0",
        "0.14.0",
        "0.14.0rc0",
        "0.14.1",
        "0.14.10",
        "0.14.11",
        "0.14.12",
        "0.14.13",
        "0.14.14",
        "0.14.15",
        "0.14.16",
        "0.14.16rc2",
        "0.14.16rc3",
        "0.14.16rc4",
        "0.14.17",
        "0.14.17rc10",
        "0.14.17rc3",
        "0.14.17rc4",
        "0.14.17rc5",
        "0.14.17rc6",
        "0.14.17rc7",
        "0.14.17rc8",
        "0.14.18",
        "0.14.18rc2",
        "0.14.18rc3",
        "0.14.18rc4",
        "0.14.18rc5",
        "0.14.18rc6",
        "0.14.19",
        "0.14.1rc0",
        "0.14.2",
        "0.14.20",
        "0.14.20rc0",
        "0.14.21rc0",
        "0.14.2rc0",
        "0.14.3",
        "0.14.3rc0",
        "0.14.4",
        "0.14.4rc0",
        "0.14.5",
        "0.14.5rc0",
        "0.14.6",
        "0.14.6rc0",
        "0.14.7",
        "0.14.7rc0",
        "0.14.8",
        "0.14.8rc1",
        "0.14.9",
        "0.14.9rc0",
        "0.15.0",
        "0.15.1",
        "0.15.10",
        "0.15.2",
        "0.15.3",
        "0.15.4",
        "0.15.5",
        "0.15.6",
        "0.15.7",
        "0.15.8",
        "0.15.9",
        "0.2.0",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.7.1",
        "0.2.8",
        "0.2.8.post0",
        "0.2.8.post3",
        "0.3.0",
        "0.3.0.post2",
        "0.3.0.post3",
        "0.3.0a10",
        "0.3.0a12",
        "0.3.0a13",
        "0.3.0a9",
        "0.3.0rc7",
        "0.3.1",
        "0.3.1rc0",
        "0.3.2",
        "0.3.3.post0",
        "0.3.3.post1",
        "0.3.4",
        "0.3.5",
        "0.4.0",
        "0.4.0rc2",
        "0.4.3",
        "0.4.3.post2",
        "0.4.3.post4",
        "0.4.3rc1",
        "0.5.0",
        "0.5.0rc0",
        "0.5.0rc2",
        "0.5.0rc3",
        "0.5.0rc4",
        "0.5.1",
        "0.5.1rc0",
        "0.5.2",
        "0.5.2.post2",
        "0.5.2.post3",
        "0.5.2rc0",
        "0.5.3",
        "0.5.4",
        "0.5.4rc0",
        "0.5.5",
        "0.5.5rc0",
        "0.5.6",
        "0.5.6rc2",
        "0.5.7",
        "0.5.7rc0",
        "0.5.8",
        "0.5.8rc0",
        "0.5.9",
        "0.5.9rc0",
        "0.6.0",
        "0.6.0.post0",
        "0.6.0rc0",
        "0.6.0rc1",
        "0.6.1",
        "0.6.1rc1",
        "0.6.2",
        "0.6.2rc0",
        "0.6.2rc1",
        "0.6.2rc2",
        "0.6.3",
        "0.6.3rc0",
        "0.6.3rc2",
        "0.6.4",
        "0.6.4rc0",
        "0.6.4rc3",
        "0.6.5",
        "0.6.5rc1",
        "0.6.5rc2",
        "0.6.5rc3",
        "0.6.6",
        "0.6.6rc0",
        "0.6.6rc1",
        "0.6.7",
        "0.6.7.post0",
        "0.6.7rc0",
        "0.6.8",
        "0.6.8rc0",
        "0.6.8rc1",
        "0.6.8rc2",
        "0.6.9",
        "0.7.0",
        "0.7.0rc0",
        "0.7.0rc1",
        "0.7.1",
        "0.7.10",
        "0.7.10rc0",
        "0.7.11",
        "0.7.11.post0",
        "0.7.11rc0",
        "0.7.12",
        "0.7.12rc0",
        "0.7.13",
        "0.7.13rc0",
        "0.7.14",
        "0.7.14rc0",
        "0.7.15",
        "0.7.15rc0",
        "0.7.16",
        "0.7.16rc0",
        "0.7.1rc0",
        "0.7.2",
        "0.7.2rc0",
        "0.7.3",
        "0.7.3rc1",
        "0.7.4",
        "0.7.4rc0",
        "0.7.5",
        "0.7.5rc0",
        "0.7.6",
        "0.7.6rc0",
        "0.7.7",
        "0.7.7rc0",
        "0.7.8",
        "0.7.8rc0",
        "0.7.9",
        "0.7.9rc0",
        "0.8.0",
        "0.8.0rc0",
        "0.8.1",
        "0.8.10",
        "0.8.10rc0",
        "0.8.10rc1",
        "0.8.10rc2",
        "0.8.1rc0",
        "0.8.2",
        "0.8.2rc0",
        "0.8.2rc1",
        "0.8.3",
        "0.8.3rc0",
        "0.8.4",
        "0.8.4rc0",
        "0.8.5",
        "0.8.5rc0",
        "0.8.6",
        "0.8.6rc1",
        "0.8.7",
        "0.8.7rc0",
        "0.8.8",
        "0.8.8rc0",
        "0.8.9",
        "0.8.9rc0",
        "0.9.0",
        "0.9.0rc0",
        "0.9.1",
        "0.9.10",
        "0.9.10.post0",
        "0.9.11",
        "0.9.11rc0",
        "0.9.12",
        "0.9.12rc0",
        "0.9.12rc1",
        "0.9.13",
        "0.9.13rc0",
        "0.9.14",
        "0.9.14rc0",
        "0.9.15",
        "0.9.15rc0",
        "0.9.16",
        "0.9.16rc0",
        "0.9.17",
        "0.9.17rc0",
        "0.9.18",
        "0.9.18rc0",
        "0.9.19",
        "0.9.19rc0",
        "0.9.1rc0",
        "0.9.1rc1",
        "0.9.2",
        "0.9.20",
        "0.9.20rc0",
        "0.9.21",
        "0.9.21rc0",
        "0.9.22",
        "0.9.22.post0",
        "0.9.22rc0",
        "0.9.22rc1",
        "0.9.2rc0",
        "0.9.3",
        "0.9.3rc0",
        "0.9.4",
        "0.9.4rc0",
        "0.9.5",
        "0.9.5rc1",
        "0.9.6",
        "0.9.6rc0",
        "0.9.7",
        "0.9.7rc0",
        "0.9.8",
        "0.9.8rc0",
        "0.9.9",
        "0.9.9rc1",
        "1.0.0",
        "1.0.0rc2",
        "1.0.1",
        "1.0.10",
        "1.0.11",
        "1.0.12",
        "1.0.13",
        "1.0.14",
        "1.0.15",
        "1.0.16",
        "1.0.17",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.0.9",
        "1.1.0",
        "1.1.1",
        "1.1.10",
        "1.1.11",
        "1.1.12",
        "1.1.13",
        "1.1.14",
        "1.1.15",
        "1.1.16rc0",
        "1.1.17",
        "1.1.17rc0",
        "1.1.18",
        "1.1.19",
        "1.1.2",
        "1.1.20",
        "1.1.21",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.7",
        "1.1.8",
        "1.1.9",
        "1.10.0",
        "1.10.1",
        "1.10.10",
        "1.10.11",
        "1.10.11rc0",
        "1.10.11rc1",
        "1.10.12",
        "1.10.13",
        "1.10.14",
        "1.10.15",
        "1.10.2",
        "1.10.3",
        "1.10.4",
        "1.10.5",
        "1.10.6",
        "1.10.6rc0",
        "1.10.7",
        "1.10.7rc0",
        "1.10.8",
        "1.10.9",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.3.0",
        "1.3.1",
        "1.3.10",
        "1.3.11",
        "1.3.12",
        "1.3.13",
        "1.3.14",
        "1.3.14rc0",
        "1.3.14rc1",
        "1.3.14rc2",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.3.8",
        "1.3.9",
        "1.3.9rc0",
        "1.4.0",
        "1.4.1",
        "1.4.10",
        "1.4.11",
        "1.4.12",
        "1.4.12rc0",
        "1.4.13",
        "1.4.13rc0",
        "1.4.13rc1",
        "1.4.14",
        "1.4.15",
        "1.4.16",
        "1.4.17",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5.0",
        "1.5.1",
        "1.5.10",
        "1.5.11",
        "1.5.12",
        "1.5.13",
        "1.5.14",
        "1.5.14rc0",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.5.8",
        "1.5.9",
        "1.6.0",
        "1.6.1",
        "1.6.10",
        "1.6.11",
        "1.6.12",
        "1.6.13",
        "1.6.14",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7.0",
        "1.7.1",
        "1.7.10",
        "1.7.11",
        "1.7.12",
        "1.7.13",
        "1.7.14",
        "1.7.15",
        "1.7.16",
        "1.7.2",
        "1.7.2rc1",
        "1.7.2rc2",
        "1.7.2rc3",
        "1.7.2rc4",
        "1.7.3",
        "1.7.4",
        "1.7.5",
        "1.7.6",
        "1.7.7",
        "1.7.8",
        "1.7.9",
        "1.7.9rc0",
        "1.8.0",
        "1.8.1",
        "1.8.10",
        "1.8.11",
        "1.8.12",
        "1.8.13",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7",
        "1.8.8",
        "1.8.9",
        "1.9.0",
        "1.9.1",
        "1.9.10",
        "1.9.11",
        "1.9.12",
        "1.9.13",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.4rc0",
        "1.9.5",
        "1.9.6",
        "1.9.7",
        "1.9.8",
        "1.9.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-51481",
    "GHSA-h7x8-jv97-fvvm"
  ],
  "details": "Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.",
  "id": "PYSEC-2026-1286",
  "modified": "2026-07-07T17:23:59.172499Z",
  "published": "2026-07-07T16:02:58.276937Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dagster-io/dagster/pull/30002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dagster-io/dagster/commit/3a3cec2b51577c4970e6fc4c199cda6418c09a9d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dagster-io/dagster"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/dagster-ge/PYSEC-2025-102.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.gecko.security/blog/cve-2025-51481"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/dagster"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-h7x8-jv97-fvvm"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dagster Local File Inclusion vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…