Incorrect access control in Jupyter notebooks


  • CVE Id: CVE-2021-27225

  • CVSS Base Score: 5.4

  • Severity: Medium

  • CWE classification: CWE-284


Dataiku would like to thank Xiejingwei Fei (jack dot fei at finra dot org) for discovering and reporting this vulnerability.


In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.

In order to exploit the vulnerability, the attacker must have coding permissions in Dataiku DSS and write access to a project, and must send specially-crafted HTTP queries.

Affected Products

Dataiku DSS in versions before 8.0.6


Dataiku DSS 8.0.6 has been made available to customers to remediate this issue