Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
The _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments.
Patches
Yes. Fixed in kedro version 1.3.0. Users should upgrade to kedro >= 1.3.0.
Workarounds
Validate version strings before passing them to DataCatalog or the CLI, ensuring they do not contain .. segments, path separators, or absolute paths.
AnalysisAI
Path traversal in Kedro's versioned dataset loader allows authenticated remote attackers to read arbitrary files outside intended data directories. Kedro versions before 1.3.0 fail to sanitize user-supplied version strings in catalog.load(), DataCatalog.from_config(), and CLI operations, enabling traversal sequences (../) to escape versioned dataset boundaries. Attackers with API or CLI access can exfiltrate sensitive files, poison training data, or access other tenants' data in multi-tenant ML pipelines. EPSS probability indicates moderate exploitation likelihood (specific score not provided), with publicly available exploit code exists via the referenced GitHub pull request demonstrating the vulnerability mechanics. Vendor-released patch available in Kedro 1.3.0.
Technical ContextAI
Kedro is a Python framework for reproducible, maintainable data science pipelines, commonly used in machine learning workflows. The vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) resides in the _get_versioned_path() method within kedro/io/core.py, which handles versioned dataset loading. This method constructs filesystem paths by directly concatenating user-controlled version strings without normalization or validation. When a version parameter contains directory traversal sequences like '../../../', Python's pathlib or os.path operations preserve these sequences, allowing navigation outside the intended versioned dataset root. The affected component (pkg:pip/kedro) is installed via pip and processes version identifiers through three attack surfaces: programmatic API calls to catalog.load(version=...), configuration-driven DataCatalog.from_config(load_versions=...), and command-line arguments via kedro run --load-versions. The lack of input sanitization means the application trusts version strings as safe path components rather than potentially malicious input.
RemediationAI
Upgrade immediately to Kedro version 1.3.0 or later, which includes input validation in the _get_versioned_path() method to reject traversal sequences and absolute paths. Install the patched version using pip install --upgrade 'kedro>=1.3.0' and verify installation with pip show kedro. Review the security fix implementation in GitHub pull request #5442 (https://github.com/kedro-org/kedro/pull/5442) to understand the sanitization logic applied. For environments unable to upgrade immediately, implement application-layer validation of all version strings before passing to DataCatalog.load(), DataCatalog.from_config(), or CLI commands: reject inputs containing '..' segments, forward slashes, backslashes, or absolute path indicators (leading / or drive letters). Use allowlist validation restricting version strings to alphanumeric characters, hyphens, and underscores. Audit existing logs and configurations for suspicious version parameters indicating potential historical exploitation. In multi-tenant deployments, consider additional filesystem-level controls such as chroot jails or containerization to limit blast radius even if path traversal occurs. Consult the official advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw for additional vendor guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19416
GHSA-6326-w46w-ppjw