Skip to main content

CVE-2026-35167

| EUVDEUVD-2026-19416 HIGH
Path Traversal (CWE-22)
2026-04-03 https://github.com/kedro-org/kedro GHSA-6326-w46w-ppjw
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 04:00 euvd
EUVD-2026-19416
Analysis Generated
Apr 03, 2026 - 04:00 vuln.today
Patch released
Apr 03, 2026 - 04:00 nvd
Patch available
CVE Published
Apr 03, 2026 - 03:46 nvd
HIGH 7.1

DescriptionGitHub Advisory

Impact

The _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments.

Patches

Yes. Fixed in kedro version 1.3.0. Users should upgrade to kedro >= 1.3.0.

Workarounds

Validate version strings before passing them to DataCatalog or the CLI, ensuring they do not contain .. segments, path separators, or absolute paths.

AnalysisAI

Path traversal in Kedro's versioned dataset loader allows authenticated remote attackers to read arbitrary files outside intended data directories. Kedro versions before 1.3.0 fail to sanitize user-supplied version strings in catalog.load(), DataCatalog.from_config(), and CLI operations, enabling traversal sequences (../) to escape versioned dataset boundaries. Attackers with API or CLI access can exfiltrate sensitive files, poison training data, or access other tenants' data in multi-tenant ML pipelines. EPSS probability indicates moderate exploitation likelihood (specific score not provided), with publicly available exploit code exists via the referenced GitHub pull request demonstrating the vulnerability mechanics. Vendor-released patch available in Kedro 1.3.0.

Technical ContextAI

Kedro is a Python framework for reproducible, maintainable data science pipelines, commonly used in machine learning workflows. The vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) resides in the _get_versioned_path() method within kedro/io/core.py, which handles versioned dataset loading. This method constructs filesystem paths by directly concatenating user-controlled version strings without normalization or validation. When a version parameter contains directory traversal sequences like '../../../', Python's pathlib or os.path operations preserve these sequences, allowing navigation outside the intended versioned dataset root. The affected component (pkg:pip/kedro) is installed via pip and processes version identifiers through three attack surfaces: programmatic API calls to catalog.load(version=...), configuration-driven DataCatalog.from_config(load_versions=...), and command-line arguments via kedro run --load-versions. The lack of input sanitization means the application trusts version strings as safe path components rather than potentially malicious input.

RemediationAI

Upgrade immediately to Kedro version 1.3.0 or later, which includes input validation in the _get_versioned_path() method to reject traversal sequences and absolute paths. Install the patched version using pip install --upgrade 'kedro>=1.3.0' and verify installation with pip show kedro. Review the security fix implementation in GitHub pull request #5442 (https://github.com/kedro-org/kedro/pull/5442) to understand the sanitization logic applied. For environments unable to upgrade immediately, implement application-layer validation of all version strings before passing to DataCatalog.load(), DataCatalog.from_config(), or CLI commands: reject inputs containing '..' segments, forward slashes, backslashes, or absolute path indicators (leading / or drive letters). Use allowlist validation restricting version strings to alphanumeric characters, hyphens, and underscores. Audit existing logs and configurations for suspicious version parameters indicating potential historical exploitation. In multi-tenant deployments, consider additional filesystem-level controls such as chroot jails or containerization to limit blast radius even if path traversal occurs. Consult the official advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw for additional vendor guidance.

Share

CVE-2026-35167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy