Skip to main content

Kedro Org Kedro

1 CVEs product

Monthly

CVE-2026-3840 HIGH This Week

Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in `_get_versioned_path()` (kedro/io/core.py) and is also reachable via the `--load-versions` CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Path Traversal Kedro Org Kedro
NVD VulDB
CVSS 3.0
7.1
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH This Week

Path traversal in Kedro 1.2.0 allows authenticated local users to read or overwrite files outside of versioned dataset directories by supplying a crafted version string. The flaw resides in `_get_versioned_path()` (kedro/io/core.py) and is also reachable via the `--load-versions` CLI parameter, with downstream risk of data poisoning and cross-tenant data exposure in orchestrated pipelines. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Path Traversal Kedro Org Kedro
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy