CVE-2026-3840
Undergoing Analysis Undergoing Analysis - In Progress

Path Traversal in Kedro via Version String

Vulnerability report for CVE-2026-3840, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-16

Assigner: huntr.dev

Description

A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to escape the intended versioned dataset directory and access files outside the expected path. The issue is also reachable through the CLI via the `--load-versions` parameter, as `_split_load_versions()` in `kedro/framework/cli/utils.py` does not validate the version string. This vulnerability can lead to unauthorized file reads, data poisoning, cross-project or cross-tenant data access, and broader downstream impacts in environments where Kedro is used with automation or orchestration layers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-16
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
quantumblack kedro 1.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Kedro version 1.2.0 and involves a path traversal issue. The method `_get_versioned_path()` in the file `kedro/io/core.py` directly uses user-supplied version strings to build filesystem paths without properly sanitizing them. This allows an attacker to craft a malicious version string that escapes the intended directory for versioned datasets and accesses files outside the expected path.

Additionally, the vulnerability can be exploited through the command line interface using the `--load-versions` parameter, because the `_split_load_versions()` function in `kedro/framework/cli/utils.py` does not validate the version string input.

Compliance Impact

This vulnerability allows unauthorized file reads and cross-project or cross-tenant data access by exploiting path traversal in Kedro version 1.2.0. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health information confidentiality and integrity.

Specifically, the ability to access files outside the intended dataset directory without proper authorization can result in exposure of protected data, undermining compliance requirements related to data privacy, access control, and data integrity.

Impact Analysis

This vulnerability can lead to unauthorized file reads, allowing attackers to access sensitive files outside the intended dataset directories.

It can also enable data poisoning, where attackers manipulate data used by Kedro pipelines.

Furthermore, it may cause cross-project or cross-tenant data access, potentially exposing data from other projects or users.

In environments where Kedro is integrated with automation or orchestration layers, the impact can be broader and more severe, affecting downstream processes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart