CVE-2026-35492

MEDIUM

Kedro-Datasets <9.3.0 PartitionedDataset - Path Traversal Arbitrary File Write

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-35492. PoCs published by redyank.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-35492, a path traversal vulnerability in kedro-datasets' PartitionedDataset. It explains the root cause, impact, patches, and workarounds without including functional exploit code.

Description

Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. This vulnerability is fixed in 9.3.0.

Exploits (1)

nomisec WRITEUP

by redyank · poc

https://github.com/redyank/CVE-2026-35492

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-35492, a path traversal vulnerability in kedro-datasets' PartitionedDataset. It explains the root cause, impact, patches, and workarounds without including functional exploit code.

Classification

Writeup 100%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: kedro-datasets < 9.3.0

No auth needed

Prerequisites: Access to a system using PartitionedDataset with unvalidated partition IDs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/kedro-org/kedro-plugins/security/advisories/GHSA-cjg8-h5qc-hrjv

X_Refsource_Misc x_refsource_misc

https://github.com/kedro-org/kedro/issues/5452

X_Refsource_Misc x_refsource_misc

https://github.com/kedro-org/kedro-plugins/pull/1346

Scores

CVSS v3 6.5

EPSS 0.0043

EPSS Percentile 33.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

kedro-org/kedro-plugins < 9.3.0

pypi/kedro-datasets 0 - 9.3.0PyPI

Published Apr 07, 2026

Tracked Since Apr 07, 2026