CVE-2026-35492
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
Description
### Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. ### Patches Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory. ### Workarounds Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components. ### References Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452
How to fix CVE-2026-35492
To remediate CVE-2026-35492, upgrade the affected package to a fixed version below.
- —upgrade to 9.3.0 or later
Is CVE-2026-35492 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.3.0