PYSEC-2026-2545

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kedro-datasets/PYSEC-2026-2545.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2545
Aliases
Published
2026-07-13T14:36:48.722547Z
Modified
2026-07-13T16:32:00.154742777Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
Details

Impact

PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected.

Patches

Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using posixpath.normpath and validates that the resolved path remains within the dataset base directory before use, raising a DatasetError if the path escapes the base directory.

Workarounds

Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain .. path components.

References

Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452

References

Affected packages

PyPI / kedro-datasets

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.3.0

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.7.0
1.7.1
1.8.0
2.*
2.0.0
2.1.0
3.*
3.0.0
3.0.1
4.*
4.0.0
4.1.0
5.*
5.0.0
5.1.0
6.*
6.0.0
7.*
7.0.0
8.*
8.0.0
8.1.0
9.*
9.0.0
9.1.0
9.1.1
9.2.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kedro-datasets/PYSEC-2026-2545.yaml"