CVE-2026-35492
Last modified
CVE-2026-35492 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-35492?
How severe is CVE-2026-35492?
How do I fix CVE-2026-35492?
Are you affected by CVE-2026-35492?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST