Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attacker must run Kedro locally (AV:L) with pipeline-execution rights (PR:L); no user interaction; arbitrary file read and dataset overwrite give C:H/I:H but no availability loss.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The _get_versioned_path() method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to escape the intended versioned dataset directory and access files outside the expected path. The issue is also reachable through the CLI via the --load-versions parameter, as _split_load_versions() in kedro/framework/cli/utils.py does not validate the version string. This vulnerability can lead to unauthorized file reads, data poisoning, cross-project or cross-tenant data access, and broader downstream impacts in environments where Kedro is used with automation or orchestration layers.
AnalysisAI
Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in _get_versioned_path() (kedro/io/core.py) and is also reachable via the --load-versions CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Technical ContextAI
Kedro is an open-source Python framework from the Kedro Org (formerly QuantumBlack/McKinsey) used to build reproducible, modular data science and ML pipelines, with versioned datasets persisted to filesystems or object stores. The root cause is a classic CWE-22 path-traversal: _get_versioned_path() performs direct string interpolation of a user-supplied version token into a filesystem path without normalization, allowlisting, or rejection of .. and absolute-path components. The same untrusted input flows in through _split_load_versions() in kedro/framework/cli/utils.py, which tokenizes the --load-versions CLI value but never validates its contents, so any caller able to influence pipeline parameters or CLI invocation inherits the traversal primitive. The single confirmed CPE is cpe:2.3:a:kedro-org:kedro-org/kedro at version 1.2.0.
RemediationAI
No vendor-released patched version is identified in the provided input, so treat remediation as advisory-only until the Kedro maintainers publish a fix referenced from the huntr bounty at https://huntr.com/bounties/156dead0-1ad5-487f-b7f5-84e707277f76. As compensating controls, restrict who can pass --load-versions on the CLI and who can set version parameters in pipeline configs (e.g., gate kedro run behind a wrapper that rejects version strings containing .., /, \, or NUL), validate version strings against a strict pattern such as ISO-8601 timestamps before they reach Kedro, and run Kedro pipelines under a least-privileged OS user whose filesystem access is confined to the project directory via chroot, containers, or filesystem ACLs. The trade-off is that strict input validation may break legitimate custom versioning schemes, and confining the runner user can complicate integration with shared model registries or artifact stores.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36497
GHSA-jfxr-crxr-374q