CVE-2026-35167

High

Published: 06 April 2026

Published

06 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0002 6.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35167 is a high-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Kedro. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms; in the Adversarial Attacks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents path traversal by requiring validation of user-supplied version strings interpolated into filesystem paths in _get_versioned_path().

SI-2 Flaw Remediation good match

prevent

Mitigates the specific flaw by requiring timely remediation through patching to Kedro 1.3.0 where path sanitization is implemented.

AC-3 Access Enforcement partial match

prevent

Enforces access controls to block unauthorized file reads outside the intended versioned dataset directory even if traversal paths are constructed.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal in network-accessible Kedro component directly enables exploitation of public-facing application (T1190) to achieve unauthorized reads of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../…

are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.

Deeper analysisAI

CVE-2026-35167 is a path traversal vulnerability (CWE-22) in Kedro, a toolbox for production-ready data science, affecting versions prior to 1.3.0. The flaw occurs in the _get_versioned_path() method within kedro/io/core.py, which constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. As a result, traversal sequences such as ../ are preserved, allowing escape from the intended versioned dataset directory. The vulnerability was published on 2026-04-06 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

An attacker who can influence the version string can exploit this issue through multiple entry points, including catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. Exploitation requires low privileges (PR:L) and is network-accessible with low complexity (AC:L), enabling the loading of files from outside the intended version directory. Potential impacts include unauthorized file reads, data poisoning, or cross-tenant data access in shared environments.

The vulnerability is addressed in Kedro 1.3.0. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw and the related pull request at https://github.com/kedro-org/kedro/pull/5442.