GHSA-CJG8-H5QC-HRJV

Vulnerability from github – Published: 2026-04-06 17:55 – Updated: 2026-04-07 22:09
VLAI?
Summary
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
Details

Impact

PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected.

Patches

Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using posixpath.normpath and validates that the resolved path remains within the dataset base directory before use, raising a DatasetError if the path escapes the base directory.

Workarounds

Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain .. path components.

References

Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "kedro-datasets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T17:55:14Z",
    "nvd_published_at": "2026-04-07T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem.\nUsers of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected.\n\n### Patches\nYes. The vulnerability has been patched in kedro-datasets version 9.3.0.\nUsers should upgrade to kedro-datasets \u003e= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory.\n\n### Workarounds\nUsers who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components.\n\n### References\nFix: https://github.com/kedro-org/kedro-plugins/pull/1346\nReport: https://github.com/kedro-org/kedro/issues/5452",
  "id": "GHSA-cjg8-h5qc-hrjv",
  "modified": "2026-04-07T22:09:25Z",
  "published": "2026-04-06T17:55:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kedro-org/kedro/issues/5452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kedro-org/kedro-plugins/pull/1346"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kedro-org/kedro-plugins/commit/65115f76b872217317734b6bde8927170c98fc4b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kedro-org/kedro-plugins"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kedro-org/kedro-plugins/releases/tag/kedro-datasets-9.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.