CVE-2026-35167
Description
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kedroPyPI | < 1.3.0 | 1.3.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6326-w46w-ppjwghsaADVISORY
- github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjwnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35167ghsaADVISORY
- github.com/kedro-org/kedro/pull/5442nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.