Plattform
python
Komponente
kedro
Behoben in
1.3.1
1.3.0
CVE-2026-35167 is a path traversal vulnerability discovered in Kedro, a data science toolbox. This flaw allows attackers to bypass intended directory restrictions by crafting malicious version strings within data pipeline configurations. The vulnerability impacts Kedro versions from 0.0.0 up to, but not including, version 1.3.0. A fix is available in version 1.3.0.
The core of the vulnerability lies in the getversioned_path() method, which directly interpolates user-supplied version strings into filesystem paths without proper sanitization. This means that malicious input, such as ../, can be injected into the path, allowing an attacker to traverse outside the intended versioned dataset directory. Successful exploitation could lead to unauthorized access to sensitive files and directories on the system, including configuration files, credentials, or other critical data. The provided example demonstrates accessing a 'secrets' file via the CLI, highlighting the potential for data exfiltration. This vulnerability poses a significant risk to data pipelines that rely on Kedro for managing datasets and workflows.
This vulnerability was publicly disclosed on April 6, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively easy to exploit. It is not currently listed on the CISA KEV catalog.
Data science teams and organizations using Kedro for data pipeline orchestration are at risk, particularly those relying on older versions (0.0.0 - 1.2.9). Environments where Kedro pipelines process or store sensitive data, such as financial or healthcare information, face a higher risk of data compromise. Shared hosting environments where multiple Kedro pipelines are deployed on the same server could also be vulnerable.
• python / kedro:
import os
import kedro
def check_versioned_path(version):
try:
path = kedro.io.core._get_versioned_path('dataset', version=version)
# Check if the path is within the expected directory
if '..' in version:
print(f"Potential path traversal detected with version: {version}")
except Exception as e:
print(f"Error checking path: {e}")
# Example usage with a malicious version string
check_versioned_path('dataset:../../../secrets')• generic web: Check Kedro pipeline configuration files for version strings that include traversal sequences (../). Examine access logs for requests containing suspicious path parameters.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Kedro to version 1.3.0 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on version strings used within Kedro pipelines. Restrict access to the Kedro CLI and related configuration files to prevent unauthorized modification of version strings. Employ a Web Application Firewall (WAF) or proxy to filter out malicious path traversal attempts. Monitor Kedro logs for suspicious activity, particularly attempts to access files outside the expected versioned directories. After upgrading, confirm the fix by attempting to access a file outside the intended directory using a crafted version string; the access should be denied.
Actualice Kedro a la versión 1.3.0 o superior para mitigar la vulnerabilidad de recorrido de directorio. Esta versión corrige la falta de sanitización en la construcción de rutas de archivos al cargar conjuntos de datos versionados, evitando así la posibilidad de acceder a archivos fuera del directorio de versiones previsto.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35167 is a path traversal vulnerability affecting Kedro data pipelines, allowing attackers to access files outside intended directories by manipulating version strings.
You are affected if you are using Kedro versions 0.0.0 through 1.2.9. Upgrade to version 1.3.0 or later to mitigate the vulnerability.
Upgrade Kedro to version 1.3.0 or later. As a temporary workaround, implement input validation on version strings and restrict access to the Kedro environment.
As of now, there are no known active exploits for CVE-2026-35167, but the probability of exploitation could increase with wider awareness.
Refer to the Kedro project's official security advisories and release notes for detailed information and updates regarding CVE-2026-35167.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.