PYSEC-2026-1286
Vulnerability from pysec - Published: 2026-07-07 16:02 - Updated: 2026-07-07 17:23
VLAI
Details
Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.
Severity
6.6 (Medium)
Impacted products
| Name | purl | dagster | pkg:pypi/dagster |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dagster",
"purl": "pkg:pypi/dagster"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.16"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0rc1",
"0.1.1",
"0.1.2",
"0.1.3",
"0.1.4",
"0.1.5",
"0.1.6",
"0.1.7",
"0.1.9",
"0.10.0",
"0.10.0rc0",
"0.10.1",
"0.10.1rc0",
"0.10.2",
"0.10.2rc0",
"0.10.3",
"0.10.3rc0",
"0.10.4",
"0.10.4rc0",
"0.10.5",
"0.10.5rc0",
"0.10.6",
"0.10.6rc0",
"0.10.7",
"0.10.7rc0",
"0.10.8",
"0.10.8rc0",
"0.10.9",
"0.11.0",
"0.11.0rc0",
"0.11.1",
"0.11.10",
"0.11.10rc0",
"0.11.10rc1",
"0.11.10rc2",
"0.11.11",
"0.11.11rc1",
"0.11.11rc5",
"0.11.11rc7",
"0.11.12",
"0.11.12rc0",
"0.11.12rc2",
"0.11.12rc3",
"0.11.13",
"0.11.13rc1",
"0.11.13rc2",
"0.11.13rc3",
"0.11.13rc5",
"0.11.14",
"0.11.14rc0",
"0.11.14rc1",
"0.11.14rc2",
"0.11.14rc3",
"0.11.14rc4",
"0.11.14rc5",
"0.11.14rc6",
"0.11.14rc7",
"0.11.14rc8",
"0.11.15",
"0.11.15rc0",
"0.11.15rc1",
"0.11.16",
"0.11.16rc10",
"0.11.16rc18",
"0.11.1rc0",
"0.11.2",
"0.11.2rc0",
"0.11.3",
"0.11.3rc0",
"0.11.4",
"0.11.4rc0",
"0.11.5",
"0.11.5rc0",
"0.11.5rc1",
"0.11.6",
"0.11.6rc10",
"0.11.6rc11",
"0.11.6rc13",
"0.11.6rc14",
"0.11.6rc15",
"0.11.6rc16",
"0.11.6rc17",
"0.11.6rc18",
"0.11.6rc19",
"0.11.6rc20",
"0.11.6rc21",
"0.11.6rc22",
"0.11.6rc23",
"0.11.6rc24",
"0.11.6rc25",
"0.11.6rc26",
"0.11.6rc27",
"0.11.6rc28",
"0.11.6rc29",
"0.11.6rc30",
"0.11.6rc31",
"0.11.6rc32",
"0.11.6rc5",
"0.11.6rc7",
"0.11.6rc8",
"0.11.6rc9",
"0.11.7",
"0.11.7rc1",
"0.11.7rc10",
"0.11.7rc13",
"0.11.7rc14",
"0.11.7rc2",
"0.11.7rc3",
"0.11.7rc4",
"0.11.7rc6",
"0.11.7rc7",
"0.11.7rc8",
"0.11.7rc9",
"0.11.8",
"0.11.8rc3",
"0.11.8rc4",
"0.11.8rc5",
"0.11.9",
"0.11.9rc10",
"0.11.9rc11",
"0.11.9rc12",
"0.11.9rc6",
"0.11.9rc7",
"0.11.9rc8",
"0.12.0",
"0.12.0rc0",
"0.12.1",
"0.12.10",
"0.12.10rc0",
"0.12.10rc1",
"0.12.11",
"0.12.11rc0",
"0.12.12",
"0.12.12rc0",
"0.12.13",
"0.12.13rc0",
"0.12.14",
"0.12.14rc0",
"0.12.14rc1",
"0.12.14rc2",
"0.12.15",
"0.12.15rc0",
"0.12.15rc2",
"0.12.1rc0",
"0.12.2",
"0.12.2rc0",
"0.12.3",
"0.12.3rc0",
"0.12.3rc1",
"0.12.4",
"0.12.4rc0",
"0.12.4rc1",
"0.12.5",
"0.12.5rc0",
"0.12.6",
"0.12.6rc0",
"0.12.7",
"0.12.7rc0",
"0.12.8",
"0.12.8rc0",
"0.12.9",
"0.12.9rc0",
"0.12.9rc1",
"0.12.9rc2",
"0.13.0",
"0.13.0rc0",
"0.13.1",
"0.13.10",
"0.13.10rc0",
"0.13.10rc1",
"0.13.10rc2",
"0.13.10rc3",
"0.13.11",
"0.13.11rc0",
"0.13.12",
"0.13.12rc2",
"0.13.13",
"0.13.13rc0",
"0.13.14",
"0.13.14rc0",
"0.13.15",
"0.13.15rc0",
"0.13.16",
"0.13.16rc0",
"0.13.17",
"0.13.17rc0",
"0.13.18",
"0.13.18rc0",
"0.13.19",
"0.13.19rc2",
"0.13.1rc0",
"0.13.2",
"0.13.2rc0",
"0.13.2rc1",
"0.13.2rc2",
"0.13.3",
"0.13.3rc0",
"0.13.4",
"0.13.4rc0",
"0.13.5",
"0.13.5rc0",
"0.13.6",
"0.13.6rc0",
"0.13.7",
"0.13.7rc0",
"0.13.8",
"0.13.8rc0",
"0.13.9",
"0.13.9rc0",
"0.14.0",
"0.14.0rc0",
"0.14.1",
"0.14.10",
"0.14.11",
"0.14.12",
"0.14.13",
"0.14.14",
"0.14.15",
"0.14.16",
"0.14.16rc2",
"0.14.16rc3",
"0.14.16rc4",
"0.14.17",
"0.14.17rc10",
"0.14.17rc3",
"0.14.17rc4",
"0.14.17rc5",
"0.14.17rc6",
"0.14.17rc7",
"0.14.17rc8",
"0.14.18",
"0.14.18rc2",
"0.14.18rc3",
"0.14.18rc4",
"0.14.18rc5",
"0.14.18rc6",
"0.14.19",
"0.14.1rc0",
"0.14.2",
"0.14.20",
"0.14.20rc0",
"0.14.21rc0",
"0.14.2rc0",
"0.14.3",
"0.14.3rc0",
"0.14.4",
"0.14.4rc0",
"0.14.5",
"0.14.5rc0",
"0.14.6",
"0.14.6rc0",
"0.14.7",
"0.14.7rc0",
"0.14.8",
"0.14.8rc1",
"0.14.9",
"0.14.9rc0",
"0.15.0",
"0.15.1",
"0.15.10",
"0.15.2",
"0.15.3",
"0.15.4",
"0.15.5",
"0.15.6",
"0.15.7",
"0.15.8",
"0.15.9",
"0.2.0",
"0.2.2",
"0.2.3",
"0.2.4",
"0.2.5",
"0.2.6",
"0.2.7",
"0.2.7.1",
"0.2.8",
"0.2.8.post0",
"0.2.8.post3",
"0.3.0",
"0.3.0.post2",
"0.3.0.post3",
"0.3.0a10",
"0.3.0a12",
"0.3.0a13",
"0.3.0a9",
"0.3.0rc7",
"0.3.1",
"0.3.1rc0",
"0.3.2",
"0.3.3.post0",
"0.3.3.post1",
"0.3.4",
"0.3.5",
"0.4.0",
"0.4.0rc2",
"0.4.3",
"0.4.3.post2",
"0.4.3.post4",
"0.4.3rc1",
"0.5.0",
"0.5.0rc0",
"0.5.0rc2",
"0.5.0rc3",
"0.5.0rc4",
"0.5.1",
"0.5.1rc0",
"0.5.2",
"0.5.2.post2",
"0.5.2.post3",
"0.5.2rc0",
"0.5.3",
"0.5.4",
"0.5.4rc0",
"0.5.5",
"0.5.5rc0",
"0.5.6",
"0.5.6rc2",
"0.5.7",
"0.5.7rc0",
"0.5.8",
"0.5.8rc0",
"0.5.9",
"0.5.9rc0",
"0.6.0",
"0.6.0.post0",
"0.6.0rc0",
"0.6.0rc1",
"0.6.1",
"0.6.1rc1",
"0.6.2",
"0.6.2rc0",
"0.6.2rc1",
"0.6.2rc2",
"0.6.3",
"0.6.3rc0",
"0.6.3rc2",
"0.6.4",
"0.6.4rc0",
"0.6.4rc3",
"0.6.5",
"0.6.5rc1",
"0.6.5rc2",
"0.6.5rc3",
"0.6.6",
"0.6.6rc0",
"0.6.6rc1",
"0.6.7",
"0.6.7.post0",
"0.6.7rc0",
"0.6.8",
"0.6.8rc0",
"0.6.8rc1",
"0.6.8rc2",
"0.6.9",
"0.7.0",
"0.7.0rc0",
"0.7.0rc1",
"0.7.1",
"0.7.10",
"0.7.10rc0",
"0.7.11",
"0.7.11.post0",
"0.7.11rc0",
"0.7.12",
"0.7.12rc0",
"0.7.13",
"0.7.13rc0",
"0.7.14",
"0.7.14rc0",
"0.7.15",
"0.7.15rc0",
"0.7.16",
"0.7.16rc0",
"0.7.1rc0",
"0.7.2",
"0.7.2rc0",
"0.7.3",
"0.7.3rc1",
"0.7.4",
"0.7.4rc0",
"0.7.5",
"0.7.5rc0",
"0.7.6",
"0.7.6rc0",
"0.7.7",
"0.7.7rc0",
"0.7.8",
"0.7.8rc0",
"0.7.9",
"0.7.9rc0",
"0.8.0",
"0.8.0rc0",
"0.8.1",
"0.8.10",
"0.8.10rc0",
"0.8.10rc1",
"0.8.10rc2",
"0.8.1rc0",
"0.8.2",
"0.8.2rc0",
"0.8.2rc1",
"0.8.3",
"0.8.3rc0",
"0.8.4",
"0.8.4rc0",
"0.8.5",
"0.8.5rc0",
"0.8.6",
"0.8.6rc1",
"0.8.7",
"0.8.7rc0",
"0.8.8",
"0.8.8rc0",
"0.8.9",
"0.8.9rc0",
"0.9.0",
"0.9.0rc0",
"0.9.1",
"0.9.10",
"0.9.10.post0",
"0.9.11",
"0.9.11rc0",
"0.9.12",
"0.9.12rc0",
"0.9.12rc1",
"0.9.13",
"0.9.13rc0",
"0.9.14",
"0.9.14rc0",
"0.9.15",
"0.9.15rc0",
"0.9.16",
"0.9.16rc0",
"0.9.17",
"0.9.17rc0",
"0.9.18",
"0.9.18rc0",
"0.9.19",
"0.9.19rc0",
"0.9.1rc0",
"0.9.1rc1",
"0.9.2",
"0.9.20",
"0.9.20rc0",
"0.9.21",
"0.9.21rc0",
"0.9.22",
"0.9.22.post0",
"0.9.22rc0",
"0.9.22rc1",
"0.9.2rc0",
"0.9.3",
"0.9.3rc0",
"0.9.4",
"0.9.4rc0",
"0.9.5",
"0.9.5rc1",
"0.9.6",
"0.9.6rc0",
"0.9.7",
"0.9.7rc0",
"0.9.8",
"0.9.8rc0",
"0.9.9",
"0.9.9rc1",
"1.0.0",
"1.0.0rc2",
"1.0.1",
"1.0.10",
"1.0.11",
"1.0.12",
"1.0.13",
"1.0.14",
"1.0.15",
"1.0.16",
"1.0.17",
"1.0.2",
"1.0.3",
"1.0.4",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.8",
"1.0.9",
"1.1.0",
"1.1.1",
"1.1.10",
"1.1.11",
"1.1.12",
"1.1.13",
"1.1.14",
"1.1.15",
"1.1.16rc0",
"1.1.17",
"1.1.17rc0",
"1.1.18",
"1.1.19",
"1.1.2",
"1.1.20",
"1.1.21",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.1.7",
"1.1.8",
"1.1.9",
"1.10.0",
"1.10.1",
"1.10.10",
"1.10.11",
"1.10.11rc0",
"1.10.11rc1",
"1.10.12",
"1.10.13",
"1.10.14",
"1.10.15",
"1.10.2",
"1.10.3",
"1.10.4",
"1.10.5",
"1.10.6",
"1.10.6rc0",
"1.10.7",
"1.10.7rc0",
"1.10.8",
"1.10.9",
"1.2.0",
"1.2.1",
"1.2.2",
"1.2.3",
"1.2.4",
"1.2.5",
"1.2.6",
"1.2.7",
"1.3.0",
"1.3.1",
"1.3.10",
"1.3.11",
"1.3.12",
"1.3.13",
"1.3.14",
"1.3.14rc0",
"1.3.14rc1",
"1.3.14rc2",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"1.3.7",
"1.3.8",
"1.3.9",
"1.3.9rc0",
"1.4.0",
"1.4.1",
"1.4.10",
"1.4.11",
"1.4.12",
"1.4.12rc0",
"1.4.13",
"1.4.13rc0",
"1.4.13rc1",
"1.4.14",
"1.4.15",
"1.4.16",
"1.4.17",
"1.4.2",
"1.4.3",
"1.4.4",
"1.4.5",
"1.4.6",
"1.4.7",
"1.4.8",
"1.4.9",
"1.5.0",
"1.5.1",
"1.5.10",
"1.5.11",
"1.5.12",
"1.5.13",
"1.5.14",
"1.5.14rc0",
"1.5.2",
"1.5.3",
"1.5.4",
"1.5.5",
"1.5.6",
"1.5.7",
"1.5.8",
"1.5.9",
"1.6.0",
"1.6.1",
"1.6.10",
"1.6.11",
"1.6.12",
"1.6.13",
"1.6.14",
"1.6.2",
"1.6.3",
"1.6.4",
"1.6.5",
"1.6.6",
"1.6.7",
"1.6.8",
"1.6.9",
"1.7.0",
"1.7.1",
"1.7.10",
"1.7.11",
"1.7.12",
"1.7.13",
"1.7.14",
"1.7.15",
"1.7.16",
"1.7.2",
"1.7.2rc1",
"1.7.2rc2",
"1.7.2rc3",
"1.7.2rc4",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.7.7",
"1.7.8",
"1.7.9",
"1.7.9rc0",
"1.8.0",
"1.8.1",
"1.8.10",
"1.8.11",
"1.8.12",
"1.8.13",
"1.8.2",
"1.8.3",
"1.8.4",
"1.8.5",
"1.8.6",
"1.8.7",
"1.8.8",
"1.8.9",
"1.9.0",
"1.9.1",
"1.9.10",
"1.9.11",
"1.9.12",
"1.9.13",
"1.9.2",
"1.9.3",
"1.9.4",
"1.9.4rc0",
"1.9.5",
"1.9.6",
"1.9.7",
"1.9.8",
"1.9.9"
]
}
],
"aliases": [
"CVE-2025-51481",
"GHSA-h7x8-jv97-fvvm"
],
"details": "Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.",
"id": "PYSEC-2026-1286",
"modified": "2026-07-07T17:23:59.172499Z",
"published": "2026-07-07T16:02:58.276937Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51481"
},
{
"type": "WEB",
"url": "https://github.com/dagster-io/dagster/pull/30002"
},
{
"type": "WEB",
"url": "https://github.com/dagster-io/dagster/commit/3a3cec2b51577c4970e6fc4c199cda6418c09a9d"
},
{
"type": "PACKAGE",
"url": "https://github.com/dagster-io/dagster"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/dagster-ge/PYSEC-2025-102.yaml"
},
{
"type": "WEB",
"url": "https://www.gecko.security/blog/cve-2025-51481"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/dagster"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h7x8-jv97-fvvm"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Dagster Local File Inclusion vulnerability"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…