{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.454Z", "datePublished": "2026-04-07T15:03:45.893Z", "dateUpdated": "2026-04-08T14:50:03.601Z"}, "containers": {"cna": {"title": "Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv"}, {"name": "https://github.com/kedro-org/kedro/issues/5452", "tags": ["x_refsource_MISC"], "url": "https://github.com/kedro-org/kedro/issues/5452"}, {"name": "https://github.com/kedro-org/kedro-plugins/pull/1346", "tags": ["x_refsource_MISC"], "url": "https://github.com/kedro-org/kedro-plugins/pull/1346"}], "affected": [{"vendor": "kedro-org", "product": "kedro-plugins", "versions": [{"version": "< 9.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:03:45.893Z"}, "descriptions": [{"lang": "en", "value": "Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0."}], "source": {"advisory": "GHSA-cjg8-h5qc-hrjv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:49:49.907338Z", "id": "CVE-2026-35492", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:50:03.601Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:49:49.907338Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:49:56.021Z"}}], "cna": {"title": "Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write", "source": {"advisory": "GHSA-cjg8-h5qc-hrjv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kedro-org", "product": "kedro-plugins", "versions": [{"status": "affected", "version": "< 9.3.0"}]}], "references": [{"url": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv", "name": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kedro-org/kedro/issues/5452", "name": "https://github.com/kedro-org/kedro/issues/5452", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kedro-org/kedro-plugins/pull/1346", "name": "https://github.com/kedro-org/kedro-plugins/pull/1346", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:03:45.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35492", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:50:03.601Z", "dateReserved": "2026-04-02T20:49:44.454Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:03:45.893Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0."}], "id": "CVE-2026-35492", "lastModified": "2026-04-16T14:45:19.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.620", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kedro-org/kedro-plugins/pull/1346"}, {"source": "security-advisories@github.com", "url": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv"}, {"source": "security-advisories@github.com", "url": "https://github.com/kedro-org/kedro/issues/5452"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kedro-plugins", "source": "cna", "vendor": "kedro-org"}, "product": "kedro-plugins", "vendor": "kedro-org"}], "analysis": {"en": {"generated_at": "2026-04-07T22:50:04.752903+00:00", "value": {"mitigation_remediation": ["Upgrade kedro-datasets to version 9.3.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The issue affects the kedro\u2011plugins package from kedro\u2011org, specifically the Kedro\u2011Datasets library in all releases prior to version 9.3.0. Any storage backend\u2014local filesystem, Amazon S3, Google Cloud Storage, or others\u2014uses the same partitioning logic, so users of PartitionedDataset across these backends are susceptible.", "description_and_impact": "The vulnerability is a path traversal flaw in the PartitionedDataset component of the Kedro-Datasets plugin. Partition IDs are concatenated directly into a base path without validation, allowing an attacker to supply .. components and write or overwrite files outside the intended dataset directory. This could replace critical system files or configuration files, opening a pathway to code execution or significant data tampering. The weakness is categorized as CWE\u201122.", "risk_and_exploitability": "With a CVSS base score of 6.5 the flaw is considered moderate but potentially severe. No EPSS or KEV data is available. The likely attack vector is through any interface that accepts partition identifiers, meaning users who can control or influence the partition ID may trigger the flaw. Because the vulnerability permits arbitrary file write, exploitation could lead to privilege escalation or code execution if critical system files are overwritten. Prompt patching is strongly advised."}}}}, "created": "2026-04-08T19:37:16.112572+00:00", "updated": "2026-04-08T19:48:31.732334+00:00", "vendors": ["kedro-org", "kedro-org$PRODUCT$kedro-plugins"]}