CVE-2026-35492: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kedro-org kedro-plugins
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
AI Analysis
Technical Summary
Kedro-Datasets' PartitionedDataset prior to version 9.3.0 is vulnerable to CWE-22 path traversal due to lack of validation on partition IDs concatenated with base paths. This allows malicious input containing directory traversal sequences to escape the intended directory boundary and write files elsewhere on the filesystem or storage backend. The vulnerability impacts all storage backends supported by the plugin. The vendor has released version 9.3.0 which addresses this issue.
Potential Impact
An attacker able to supply crafted partition IDs can cause files to be written outside the designated dataset directory, potentially overwriting arbitrary files on the filesystem or storage backend. This can lead to integrity issues but does not directly impact confidentiality or availability. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Mitigation Recommendations
A patch is available in kedro-plugins version 9.3.0 that fixes this path traversal vulnerability. Users should upgrade to version 9.3.0 or later to remediate the issue. Since this is a cloud service environment, the vendor manages remediation for the cloud-hosted service. Users should verify with the vendor advisory for confirmation of patch deployment in cloud environments. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-35492: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kedro-org kedro-plugins
Description
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Kedro-Datasets' PartitionedDataset prior to version 9.3.0 is vulnerable to CWE-22 path traversal due to lack of validation on partition IDs concatenated with base paths. This allows malicious input containing directory traversal sequences to escape the intended directory boundary and write files elsewhere on the filesystem or storage backend. The vulnerability impacts all storage backends supported by the plugin. The vendor has released version 9.3.0 which addresses this issue.
Potential Impact
An attacker able to supply crafted partition IDs can cause files to be written outside the designated dataset directory, potentially overwriting arbitrary files on the filesystem or storage backend. This can lead to integrity issues but does not directly impact confidentiality or availability. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Mitigation Recommendations
A patch is available in kedro-plugins version 9.3.0 that fixes this path traversal vulnerability. Users should upgrade to version 9.3.0 or later to remediate the issue. Since this is a cloud service environment, the vendor manages remediation for the cloud-hosted service. Users should verify with the vendor advisory for confirmation of patch deployment in cloud environments. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T20:49:44.454Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d52344aaed68159a2ec616
Added to database: 4/7/2026, 3:31:16 PM
Last enriched: 4/7/2026, 3:48:11 PM
Last updated: 4/8/2026, 12:43:21 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.