CVE-2026-35492
Path Traversal in Kedro-Datasets PartitionedDataset Allows File Overwrite
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kedro-org | kedro-datasets | to 9.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kedro-Datasets' PartitionedDataset component allows arbitrary file overwrite outside the intended dataset directory due to path traversal. This could lead to unauthorized modification of files on the filesystem.
Such unauthorized file writes could potentially impact data integrity and security controls required by common standards and regulations like GDPR and HIPAA, which mandate protection against unauthorized data alteration and ensuring data integrity.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-35492 is a path traversal vulnerability in the PartitionedDataset component of the kedro-datasets Python package versions prior to 9.3.0.
The issue occurs because partition IDs are concatenated directly with the dataset base path without proper validation or normalization.
An attacker can supply malicious partition IDs containing path traversal sequences like "..", which allows files to be written outside the intended dataset directory.
This can lead to arbitrary file overwrite on the filesystem, affecting all storage backends supported by PartitionedDataset, including local filesystems, Amazon S3, and Google Cloud Storage.
The vulnerability was fixed in kedro-datasets version 9.3.0 by normalizing paths and validating that resolved paths remain within the dataset directory, raising an error if they do not.
How can this vulnerability impact me? :
This vulnerability can allow an attacker or malicious input to overwrite arbitrary files on your filesystem outside the intended dataset directory.
Such unauthorized file writes can compromise the integrity of your system or data by replacing or corrupting important files.
The vulnerability has a CVSS v3.1 base score of 6.5, indicating moderate severity, with a high impact on integrity but no impact on confidentiality or availability.
Because the attack vector is network-based and requires low privileges with no user interaction, it can be exploited relatively easily if the vulnerable component is exposed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal via malicious partition IDs containing sequences like ".." that cause files to be written outside the intended dataset directory.
To detect exploitation attempts or presence of this vulnerability, you should check for partition IDs or inputs containing path traversal components such as "..".
Since the issue is related to file writes outside the expected directory, monitoring filesystem activity for unexpected file creations or modifications outside the dataset base path may help detect exploitation.
There are no specific commands provided in the resources, but you can use commands like the following to search for suspicious partition IDs or files:
- On Linux systems, search for files created or modified outside the expected dataset directory using: find / -type f -newermt "YYYY-MM-DD"
- Search for partition IDs containing ".." in your dataset configuration or logs using: grep -r '\.\.' /path/to/kedro/configs
- Monitor application logs for errors or DatasetError exceptions indicating path traversal attempts.
If you cannot upgrade immediately, manually validate partition IDs to ensure they do not contain ".." or other path traversal components before they are used.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade kedro-datasets to version 9.3.0 or later, where the vulnerability is fixed by normalizing and validating partition paths.
If upgrading is not immediately possible, you should manually validate all partition IDs to ensure they do not contain path traversal sequences such as ".." before passing them to PartitionedDataset.
Additionally, monitor your filesystem and application logs for suspicious activity or errors related to path traversal attempts.