What is the impact of CVE-2026-35171?

CVE-2026-35171 is a critical Remote Code Execution (RCE) vulnerability. An attacker can execute arbitrary system commands on the affected system, potentially leading to complete system compromise.

How can I prevent the path traversal vulnerability (CVE-2026-35167) if I can't immediately upgrade?

As a temporary workaround, carefully validate any version strings provided to Kedro, ensuring they do not contain potentially malicious characters like `..` or absolute paths. This is not a complete mitigation but can reduce the attack surface.

Is there a difference between the severity of the two CVEs?

Yes, CVE-2026-35171 (RCE) is considered more severe than CVE-2026-35167 (path traversal) due to the potential for complete system compromise versus unauthorized file access.

Where can I find more information about these vulnerabilities?

Detailed information about CVE-2026-35167 and CVE-2026-35171, including vendor advisories and technical details, can be found on the official CVE databases and the Kedro project's security page.

Critical: Remote Code Execution and Path Traversal in Kedro

Two critical vulnerabilities have been identified in Kedro, a popular Python framework for data science projects. These vulnerabilities, CVE-2026-35167 and CVE-2026-35171, allow for path traversal and arbitrary code execution, respectively. Patches are available in Kedro version 1.3.0.

CVE-2026-35171 carries a CVSS score of 9.8, indicating a critical vulnerability with a high likelihood of exploitation and severe impact.

What is Kedro?

Kedro is a framework designed to structure and manage data science projects in Python. It provides a modular architecture, reproducible pipelines, and a catalog for managing datasets. Kedro aims to improve the organization and maintainability of data science workflows, making them easier to collaborate on and deploy. search all kedro CVEs to stay informed about potential security issues.

Path Traversal Vulnerability in Versioned Dataset Loading

CVSS7.1

Affected versionsKedro versions less than or equal to 1.2.0 are affected. This vulnerability is reachable through `catalog.load(..., version=...)`, `DataCatalog.from_config(..., load_versions=...)`, and the CLI.

High severity path traversal vulnerability.

The `_get_versioned_path()` method in Kedro constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. This allows an attacker to use traversal sequences (e.g., `../`) within the version string to access files outside the intended versioned dataset directory.

How to fix CVE-2026-35167 in Kedro

Patch immediately

1.Upgrade Kedro to version 1.3.0 or later.

Upgrade Kedro

pip install --upgrade kedro

Verify with:

verify

pip show kedro

Workaround: Validate version strings before passing them to DataCatalog or the CLI, ensuring they do not contain `..` segments, path separators, or absolute paths.

NextGuard automatically flags CVE-2026-35167 if Kedro appears in any of your monitored projects — no manual lookup required.

Arbitrary Code Execution via Malicious Logging Configuration

CVSS9.8

Affected versionsKedro versions less than or equal to 1.2.0 are affected. This vulnerability is particularly dangerous as it allows for remote code execution.

Critical Remote Code Execution vulnerability.

Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.

How to fix CVE-2026-35171 in Kedro

Patch immediately

1.Upgrade Kedro to version 1.3.0 or later.

Upgrade Kedro

pip install --upgrade kedro

Verify with:

verify

pip show kedro

Workaround: If upgrading is not immediately possible, avoid allowing untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable, restrict write access to logging configuration files, and manually validate logging YAML.

NextGuard automatically flags CVE-2026-35171 if Kedro appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively identify and mitigate risks in your Python projects. Continuous monitoring and dependency scanning are crucial for maintaining a secure development environment. monitor your python dependencies to ensure you're always protected.

Compare Your Dependencies

Frequently asked questions

The vulnerabilities in Kedro highlight the importance of keeping your dependencies up-to-date and implementing robust security practices. Prompt patching is essential to protect your data science projects from potential exploitation. see all python vulnerabilities to stay informed about the latest threats.