CVE-2026-35492 - Vulnerability Details

- Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write

Description

Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.

Published: 2026-04-07

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a path traversal flaw in the PartitionedDataset component of the Kedro-Datasets plugin. Partition IDs are concatenated directly into a base path without validation, allowing an attacker to supply .. components and write or overwrite files outside the intended dataset directory. This could replace critical system files or configuration files, opening a pathway to code execution or significant data tampering. The weakness is categorized as CWE‑22.

Affected Systems

The issue affects the kedro‑plugins package from kedro‑org, specifically the Kedro‑Datasets library in all releases prior to version 9.3.0. Any storage backend—local filesystem, Amazon S3, Google Cloud Storage, or others—uses the same partitioning logic, so users of PartitionedDataset across these backends are susceptible.

Risk and Exploitability

With a CVSS base score of 6.5 the flaw is considered moderate but potentially severe. No EPSS or KEV data is available. The likely attack vector is through any interface that accepts partition identifiers, meaning users who can control or influence the partition ID may trigger the flaw. Because the vulnerability permits arbitrary file write, exploitation could lead to privilege escalation or code execution if critical system files are overwritten. Prompt patching is strongly advised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kedro-org

kedro-plugins

affected

Version	Status	Constraints
`< 9.3.0`	affected	—

No data.

Vendor Product Confidence Versions

Kedro-org

Kedro-plugins

100%

Version	Status	Scheme	Platform
`[0,9.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade kedro-datasets to version 9.3.0 or later.

Generated by OpenCVE AI on April 7, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cjg8-h5qc-hrjv	kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kedro-org/kedro-plugins/pull/1346
https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv
https://github.com/kedro-org/kedro/issues/5452

History

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kedro-org Kedro-org kedro-plugins
Vendors & Products		Kedro-org Kedro-org kedro-plugins

Wed, 08 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
Title		Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write
Weaknesses		CWE-22
References		https://github.com/kedro-org/kedro-plugins/pull/1346 https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv https://github.com/kedro-org/kedro/issues/5452
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Kedro-org Kedro-plugins

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T15:03:45.893Z

Updated: 2026-04-08T14:50:03.601Z

Reserved: 2026-04-02T20:49:44.454Z

Link: CVE-2026-35492

Vulnrichment

Updated: 2026-04-08T14:49:56.021Z

NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:27.620

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35492

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:48:31Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object