CVE-2026-35167

Source
https://cve.org/CVERecord?id=CVE-2026-35167
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35167.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35167
Aliases
Published
2026-04-06T17:43:21.922Z
Modified
2026-07-15T01:48:58.525365609Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Kedro has a path traversal in versioned dataset loading via unsanitized version string
Details

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.fromconfig(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35167.json"
}
References

Affected packages

Git / github.com/kedro-org/kedro

Affected ranges

Type
GIT
Repo
https://github.com/kedro-org/kedro
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:linuxfoundation:kedro:*:*:*:*:*:python:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.0"
        }
    ]
}

Affected versions

0.*
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.17.7
0.18.0
0.18.1
0.18.10
0.18.11
0.18.12
0.18.13
0.18.14
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.18.8
0.18.9
0.19.0
0.19.1
0.19.10
0.19.11
0.19.12
0.19.13
0.19.14
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.19.8
0.19.9
1.*
1.0.0
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.1.0
1.1.1
1.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35167.json"