Description

Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.

INFO

Published Date :

2026-04-07T15:03:45.893Z

Last Modified :

2026-04-08T14:50:03.601Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35492 vulnerability.

Vendors Products
Kedro-org
  • Kedro-plugins
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35492.

URL Resource
https://github.com/kedro-org/kedro-plugins/pull/1346 cve-icon cve-icon
https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv cve-icon cve-icon
https://github.com/kedro-org/kedro/issues/5452 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact