CVE-2026-35492: kedro-datasets: path traversal enables arbitrary file write
GHSA-cjg8-h5qc-hrjv MEDIUMkedro-datasets PartitionedDataset concatenates user-controlled partition IDs directly with the base path without validation, allowing `..` traversal sequences to escape the configured directory and write files anywhere the process has write access — across all storage backends (local, S3, GCS). CVSS 6.5 with Integrity:HIGH, network-accessible, low complexity, low privileges required, no user interaction needed — in automated ML pipelines that ingest external partition IDs (event-triggered ingestion, API-driven workflows), an attacker can silently overwrite training datasets, model artifacts, or pipeline configuration files with no active exploitation or CISA KEV entry, but the attack is trivially constructed. Upgrade to kedro-datasets >= 9.3.0 immediately (patch applies posixpath.normpath and directory-escape validation); if upgrade is blocked, sanitize all partition IDs to reject `..` components and absolute paths before passing to PartitionedDataset, and enforce least-privilege filesystem permissions on pipeline processes.
What is the risk?
Medium severity (CVSS 6.5) with disproportionate integrity impact in AI/ML contexts. Network-accessible attack vector with low complexity and low privileges required makes exploitation straightforward for any attacker who can influence partition IDs — via compromised upstream data sources, malicious input files, or API-driven ingestion endpoints. While not actively exploited and absent from CISA KEV, automated ML pipelines rarely monitor for unexpected file writes outside expected directories, making silent exploitation highly probable in affected environments running versions prior to 9.3.0.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| HF Datasets | pip | < 9.3.0 | 9.3.0 |
Do you use HF Datasets? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade kedro-datasets to >= 9.3.0 — the fix applies posixpath.normpath to constructed paths and raises DatasetError if the resolved path escapes the base directory.
-
WORKAROUND (if upgrade blocked): Validate all partition IDs before passing to PartitionedDataset — reject any containing
.., absolute path prefixes, or URL-encoded traversal variants (%2e%2e). -
HARDEN
Run Kedro pipeline processes under OS accounts with write access scoped to expected dataset directories only; apply IAM boundaries on cloud storage buckets.
-
DETECT
Enable filesystem or cloud storage audit logging and alert on writes outside configured dataset base paths.
-
INVENTORY
Identify all PartitionedDataset usages that accept partition IDs from external, user-controlled, or third-party data sources.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35492?
kedro-datasets PartitionedDataset concatenates user-controlled partition IDs directly with the base path without validation, allowing `..` traversal sequences to escape the configured directory and write files anywhere the process has write access — across all storage backends (local, S3, GCS). CVSS 6.5 with Integrity:HIGH, network-accessible, low complexity, low privileges required, no user interaction needed — in automated ML pipelines that ingest external partition IDs (event-triggered ingestion, API-driven workflows), an attacker can silently overwrite training datasets, model artifacts, or pipeline configuration files with no active exploitation or CISA KEV entry, but the attack is trivially constructed. Upgrade to kedro-datasets >= 9.3.0 immediately (patch applies posixpath.normpath and directory-escape validation); if upgrade is blocked, sanitize all partition IDs to reject `..` components and absolute paths before passing to PartitionedDataset, and enforce least-privilege filesystem permissions on pipeline processes.
Is CVE-2026-35492 actively exploited?
No confirmed active exploitation of CVE-2026-35492 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-35492?
1. PATCH: Upgrade kedro-datasets to >= 9.3.0 — the fix applies posixpath.normpath to constructed paths and raises DatasetError if the resolved path escapes the base directory. 2. WORKAROUND (if upgrade blocked): Validate all partition IDs before passing to PartitionedDataset — reject any containing `..`, absolute path prefixes, or URL-encoded traversal variants (%2e%2e). 3. HARDEN: Run Kedro pipeline processes under OS accounts with write access scoped to expected dataset directories only; apply IAM boundaries on cloud storage buckets. 4. DETECT: Enable filesystem or cloud storage audit logging and alert on writes outside configured dataset base paths. 5. INVENTORY: Identify all PartitionedDataset usages that accept partition IDs from external, user-controlled, or third-party data sources.
What systems are affected by CVE-2026-35492?
This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Data ingestion pipelines, Batch ML inference pipelines, ML data management and versioning.
What is the CVSS score for CVE-2026-35492?
CVE-2026-35492 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.43%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0020 Poison Training Data AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. ### Patches Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory. ### Workarounds Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components. ### References Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452
Exploitation Scenario
An attacker with access to an upstream data source or event-driven ingestion pipeline submits a batch containing malicious partition IDs such as `../../model_store/production_classifier.pkl` or `../../config/credentials.yaml`. When the Kedro pipeline processes this batch and saves output partitions via PartitionedDataset, kedro-datasets writes attacker-controlled content to paths outside the configured base directory. In a scheduled retraining pipeline scenario, the attacker overwrites the production model artifact with a backdoored version that maintains normal accuracy metrics while exhibiting adversarially-conditioned misclassification — all appearing as routine pipeline output in logs.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-50027 9.8 mcp-memory-service: auth bypass on document API
Same package: datasets CVE-2026-52812 Gogs LFS: cross-tenant object disclosure via dedupe bypass
Same package: datasets CVE-2026-48797 backpropagate: auth bypass exposes LLM training plane
Same package: datasets CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain