CVE-2026-35492
Received Received - Intake
Path Traversal in Kedro-Datasets PartitionedDataset Allows File Overwrite

Publication date: 2026-04-07

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35492
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kedro-org kedro-datasets to 9.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35492 is a path traversal vulnerability in the PartitionedDataset component of the kedro-datasets Python package versions prior to 9.3.0.

The issue occurs because partition IDs are concatenated directly with the dataset base path without proper validation or normalization.

An attacker can supply malicious partition IDs containing path traversal sequences like "..", which allows files to be written outside the intended dataset directory.

This can lead to arbitrary file overwrite on the filesystem, affecting all storage backends supported by PartitionedDataset, including local filesystems, Amazon S3, and Google Cloud Storage.

The vulnerability was fixed in kedro-datasets version 9.3.0 by normalizing paths and validating that resolved paths remain within the dataset directory, raising an error if they do not.

Impact Analysis

This vulnerability can allow an attacker or malicious input to overwrite arbitrary files on your filesystem outside the intended dataset directory.

Such unauthorized file writes can compromise the integrity of your system or data by replacing or corrupting important files.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating moderate severity, with a high impact on integrity but no impact on confidentiality or availability.

Because the attack vector is network-based and requires low privileges with no user interaction, it can be exploited relatively easily if the vulnerable component is exposed.

Detection Guidance

This vulnerability involves path traversal via malicious partition IDs containing sequences like ".." that cause files to be written outside the intended dataset directory.

To detect exploitation attempts or presence of this vulnerability, you should check for partition IDs or inputs containing path traversal components such as "..".

Since the issue is related to file writes outside the expected directory, monitoring filesystem activity for unexpected file creations or modifications outside the dataset base path may help detect exploitation.

There are no specific commands provided in the resources, but you can use commands like the following to search for suspicious partition IDs or files:

  • On Linux systems, search for files created or modified outside the expected dataset directory using: find / -type f -newermt "YYYY-MM-DD"
  • Search for partition IDs containing ".." in your dataset configuration or logs using: grep -r '\.\.' /path/to/kedro/configs
  • Monitor application logs for errors or DatasetError exceptions indicating path traversal attempts.

If you cannot upgrade immediately, manually validate partition IDs to ensure they do not contain ".." or other path traversal components before they are used.

Mitigation Strategies

The primary mitigation is to upgrade kedro-datasets to version 9.3.0 or later, where the vulnerability is fixed by normalizing and validating partition paths.

If upgrading is not immediately possible, you should manually validate all partition IDs to ensure they do not contain path traversal sequences such as ".." before passing them to PartitionedDataset.

Additionally, monitor your filesystem and application logs for suspicious activity or errors related to path traversal attempts.

Compliance Impact

The vulnerability in Kedro-Datasets' PartitionedDataset component allows arbitrary file overwrite outside the intended dataset directory due to path traversal. This could lead to unauthorized modification of files on the filesystem.

Such unauthorized file writes could potentially impact data integrity and security controls required by common standards and regulations like GDPR and HIPAA, which mandate protection against unauthorized data alteration and ensuring data integrity.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart