CVE-2026-35492
Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
2th
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
| CWE | CWE-22 |
| Vendor | kedro-org |
| Product | kedro-plugins |
| Published | Apr 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for kedro-org kedro-plugins
Be the first to know when new medium vulnerabilities affecting kedro-org kedro-plugins are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
kedro-org / kedro-plugins
< 9.3.0