CVE-2026-35492: kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
(updated )
PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected.
References
- github.com/advisories/GHSA-cjg8-h5qc-hrjv
- github.com/kedro-org/kedro-plugins
- github.com/kedro-org/kedro-plugins/commit/65115f76b872217317734b6bde8927170c98fc4b
- github.com/kedro-org/kedro-plugins/pull/1346
- github.com/kedro-org/kedro-plugins/releases/tag/kedro-datasets-9.3.0
- github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv
- github.com/kedro-org/kedro/issues/5452
- nvd.nist.gov/vuln/detail/CVE-2026-35492
Code Behaviors & Features
Detect and mitigate CVE-2026-35492 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →