{"data":{"id":"7222da97-4c1c-4917-9e23-daa7936a025b","title":"GHSA-cjg8-h5qc-hrjv: kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write","summary":"PartitionedDataset in kedro-datasets had a path traversal vulnerability (a security flaw where an attacker uses \"..\" sequences to access files outside an intended directory) that allowed attackers to write files anywhere on a system by including \"..\" in partition IDs (identifiers for data sections). This affected all users regardless of storage type, local or cloud-based.","solution":"Upgrade to kedro-datasets version 9.3.0 or later. The patch normalizes paths using `posixpath.normpath` and validates that resolved paths stay within the dataset base directory before use, raising a `DatasetError` if the path escapes. For users unable to upgrade, manually validate partition IDs to ensure they do not contain \"..\" path components before passing them to PartitionedDataset.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-cjg8-h5qc-hrjv","publishedAt":"2026-04-06T17:55:14.000Z","cveId":"CVE-2026-35492","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["kedro-datasets@< 9.3.0 (fixed: 9.3.0)"],"affectedVendors":[],"affectedVendorsRaw":["kedro-datasets","Kedro"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-06T17:55:14.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"training_data","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}