anonhaven
Ad

CVE-2026-35167

HIGH CVSS 3.1: 7.1 EPSS 0.02%
Updated Apr 07, 2026
Kedro
Parameter Value
CVSS 7.1 (HIGH)
Fixed In 1.3.0
Type CWE-22 (Path Traversal)
Vendor Kedro
Public PoC No

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory.

This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

References 2

https://github.com/kedro-org/kedro/pull/5442
security-advisories@github.com
https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35171

Kedro

9.8