CVE-2026-35492

Name of the Vulnerable Software and Affected Versions Kedro-Datasets versions prior to 9.3.0

Description The Kedro-Datasets plugin is susceptible to a path traversal issue in the PartitionedDataset component. Partition IDs were directly concatenated with the dataset base path without proper validation. Malicious input containing '..' components within a partition ID could allow an attacker to write files outside the intended dataset directory, potentially overwriting arbitrary files on the filesystem. This affects users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.).

Recommendations Upgrade to kedro-datasets version 9.3.0 or later. As a temporary workaround, validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain '..' path components.