AI Threat Alert AI Threat Alert

CVE-2026-35492: kedro-datasets: path traversal enables arbitrary file write

GHSA-cjg8-h5qc-hrjv MEDIUM
Published April 6, 2026
CISO Take

kedro-datasets PartitionedDataset concatenates user-controlled partition IDs directly with the base path without validation, allowing `..` traversal sequences to escape the configured directory and write files anywhere the process has write access — across all storage backends (local, S3, GCS). CVSS 6.5 with Integrity:HIGH, network-accessible, low complexity, low privileges required, no user interaction needed — in automated ML pipelines that ingest external partition IDs (event-triggered ingestion, API-driven workflows), an attacker can silently overwrite training datasets, model artifacts, or pipeline configuration files with no active exploitation or CISA KEV entry, but the attack is trivially constructed. Upgrade to kedro-datasets >= 9.3.0 immediately (patch applies posixpath.normpath and directory-escape validation); if upgrade is blocked, sanitize all partition IDs to reject `..` components and absolute paths before passing to PartitionedDataset, and enforce least-privilege filesystem permissions on pipeline processes.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Medium severity (CVSS 6.5) with disproportionate integrity impact in AI/ML contexts. Network-accessible attack vector with low complexity and low privileges required makes exploitation straightforward for any attacker who can influence partition IDs — via compromised upstream data sources, malicious input files, or API-driven ingestion endpoints. While not actively exploited and absent from CISA KEV, automated ML pipelines rarely monitor for unexpected file writes outside expected directories, making silent exploitation highly probable in affected environments running versions prior to 9.3.0.

Affected Systems

Package Ecosystem Vulnerable Range Patched
kedro-datasets pip < 9.3.0 9.3.0

Do you use kedro-datasets? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. PATCH: Upgrade kedro-datasets to >= 9.3.0 — the fix applies posixpath.normpath to constructed paths and raises DatasetError if the resolved path escapes the base directory.
  2. WORKAROUND (if upgrade blocked): Validate all partition IDs before passing to PartitionedDataset — reject any containing `..`, absolute path prefixes, or URL-encoded traversal variants (%2e%2e).
  3. HARDEN: Run Kedro pipeline processes under OS accounts with write access scoped to expected dataset directories only; apply IAM boundaries on cloud storage buckets.
  4. DETECT: Enable filesystem or cloud storage audit logging and alert on writes outside configured dataset base paths.
  5. INVENTORY: Identify all PartitionedDataset usages that accept partition IDs from external, user-controlled, or third-party data sources.

Classification

Supply Chain Model Poisoning Code Execution Framework Training Data AML.T0010.001 AML.T0020 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - Data for AI systems
NIST AI RMF
MANAGE-2.2 - Residual risks and errors are managed
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities LLM04 - Data and Model Poisoning

Technical Details

NVD Description

### Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. ### Patches Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory. ### Workarounds Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components. ### References Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452

Exploitation Scenario

An attacker with access to an upstream data source or event-driven ingestion pipeline submits a batch containing malicious partition IDs such as `../../model_store/production_classifier.pkl` or `../../config/credentials.yaml`. When the Kedro pipeline processes this batch and saves output partitions via PartitionedDataset, kedro-datasets writes attacker-controlled content to paths outside the configured base directory. In a scheduled retraining pipeline scenario, the attacker overwrites the production model artifact with a backdoored version that maintains normal accuracy metrics while exhibiting adversarially-conditioned misclassification — all appearing as routine pipeline output in logs.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
April 6, 2026
Last Modified
April 6, 2026
First Seen
April 6, 2026

Related Vulnerabilities

CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Supply Chain
Back to Threat Feed