CVE-2026-35492 — MEDIUM (CVSS 6.5)

CISO Take

kedro-datasets PartitionedDataset concatenates user-controlled partition IDs directly with the base path without validation, allowing `..` traversal sequences to escape the configured directory and write files anywhere the process has write access — across all storage backends (local, S3, GCS). CVSS 6.5 with Integrity:HIGH, network-accessible, low complexity, low privileges required, no user interaction needed — in automated ML pipelines that ingest external partition IDs (event-triggered ingestion, API-driven workflows), an attacker can silently overwrite training datasets, model artifacts, or pipeline configuration files with no active exploitation or CISA KEV entry, but the attack is trivially constructed. Upgrade to kedro-datasets >= 9.3.0 immediately (patch applies posixpath.normpath and directory-escape validation); if upgrade is blocked, sanitize all partition IDs to reject `..` components and absolute paths before passing to PartitionedDataset, and enforce least-privilege filesystem permissions on pipeline processes.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 6.5) with disproportionate integrity impact in AI/ML contexts. Network-accessible attack vector with low complexity and low privileges required makes exploitation straightforward for any attacker who can influence partition IDs — via compromised upstream data sources, malicious input files, or API-driven ingestion endpoints. While not actively exploited and absent from CISA KEV, automated ML pipelines rarely monitor for unexpected file writes outside expected directories, making silent exploitation highly probable in affected environments running versions prior to 9.3.0.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
kedro-datasets	pip	< 9.3.0	`9.3.0`
21.5K OpenSSF 5.7 2.8K dependents Pushed 6d ago 100% patched ~0d to patch Full package profile →

Do you use kedro-datasets? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A None

What should I do?

5 steps

PATCH

Upgrade kedro-datasets to >= 9.3.0 — the fix applies posixpath.normpath to constructed paths and raises DatasetError if the resolved path escapes the base directory.
WORKAROUND (if upgrade blocked): Validate all partition IDs before passing to PartitionedDataset — reject any containing .., absolute path prefixes, or URL-encoded traversal variants (%2e%2e).
HARDEN

Run Kedro pipeline processes under OS accounts with write access scoped to expected dataset directories only; apply IAM boundaries on cloud storage buckets.
DETECT

Enable filesystem or cloud storage audit logging and alert on writes outside configured dataset base paths.
INVENTORY

Identify all PartitionedDataset usages that accept partition IDs from external, user-controlled, or third-party data sources.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Model Poisoning Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0020 - Poison Training Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - Data for AI systems

NIST AI RMF

MANAGE-2.2 - Residual risks and errors are managed

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-35492?

kedro-datasets PartitionedDataset concatenates user-controlled partition IDs directly with the base path without validation, allowing `..` traversal sequences to escape the configured directory and write files anywhere the process has write access — across all storage backends (local, S3, GCS). CVSS 6.5 with Integrity:HIGH, network-accessible, low complexity, low privileges required, no user interaction needed — in automated ML pipelines that ingest external partition IDs (event-triggered ingestion, API-driven workflows), an attacker can silently overwrite training datasets, model artifacts, or pipeline configuration files with no active exploitation or CISA KEV entry, but the attack is trivially constructed. Upgrade to kedro-datasets >= 9.3.0 immediately (patch applies posixpath.normpath and directory-escape validation); if upgrade is blocked, sanitize all partition IDs to reject `..` components and absolute paths before passing to PartitionedDataset, and enforce least-privilege filesystem permissions on pipeline processes.

Is CVE-2026-35492 actively exploited?

No confirmed active exploitation of CVE-2026-35492 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35492?

1. PATCH: Upgrade kedro-datasets to >= 9.3.0 — the fix applies posixpath.normpath to constructed paths and raises DatasetError if the resolved path escapes the base directory. 2. WORKAROUND (if upgrade blocked): Validate all partition IDs before passing to PartitionedDataset — reject any containing `..`, absolute path prefixes, or URL-encoded traversal variants (%2e%2e). 3. HARDEN: Run Kedro pipeline processes under OS accounts with write access scoped to expected dataset directories only; apply IAM boundaries on cloud storage buckets. 4. DETECT: Enable filesystem or cloud storage audit logging and alert on writes outside configured dataset base paths. 5. INVENTORY: Identify all PartitionedDataset usages that accept partition IDs from external, user-controlled, or third-party data sources.

What systems are affected by CVE-2026-35492?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Data ingestion pipelines, Batch ML inference pipelines, ML data management and versioning.

What is the CVSS score for CVE-2026-35492?

CVE-2026-35492 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

### Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. ### Patches Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory. ### Workarounds Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components. ### References Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452

Exploitation Scenario

An attacker with access to an upstream data source or event-driven ingestion pipeline submits a batch containing malicious partition IDs such as `../../model_store/production_classifier.pkl` or `../../config/credentials.yaml`. When the Kedro pipeline processes this batch and saves output partitions via PartitionedDataset, kedro-datasets writes attacker-controlled content to paths outside the configured base directory. In a scheduled retraining pipeline scenario, the attacker overwrites the production model artifact with a backdoored version that maintains normal accuracy metrics while exhibiting adversarially-conditioned misclassification — all appearing as routine pipeline output in logs.