Cyber Resilience

CVE-2026-35167

High

Published: 06 April 2026

Published
06 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0033 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35167 is a high-severity Path Traversal (CWE-22) vulnerability in Linuxfoundation Kedro. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Data Processing Libraries; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35167 is a path traversal vulnerability (CWE-22) in Kedro, a toolbox for production-ready data science, affecting versions prior to 1.3.0. The flaw occurs in the _get_versioned_path() method within kedro/io/core.py, which constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. As a result, traversal sequences such as ../ are preserved, allowing escape from the intended versioned dataset directory. The vulnerability was published on 2026-04-06 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

An attacker who can influence the version string can exploit this issue through multiple entry points, including catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. Exploitation requires low privileges (PR:L) and is network-accessible with low complexity (AC:L), enabling the loading of files from outside the intended version directory. Potential impacts include unauthorized file reads, data poisoning, or cross-tenant data access in shared environments.

The vulnerability is addressed in Kedro 1.3.0. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw and the related pull request at https://github.com/kedro-org/kedro/pull/5442.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../…

more

are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.

CWE(s)

AI Security AnalysisAI

AI Category
Data Processing Libraries
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: data poisoning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in network-accessible Kedro component directly enables exploitation of public-facing application (T1190) to achieve unauthorized reads of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35171Same product: Linuxfoundation Kedro
CVE-2026-27969Same vendor: Linuxfoundation
CVE-2026-33211Same vendor: Linuxfoundation
CVE-2025-59352Same vendor: Linuxfoundation
CVE-2025-51480Same vendor: Linuxfoundation
CVE-2026-27489Same vendor: Linuxfoundation
CVE-2026-41491Same vendor: Linuxfoundation
CVE-2026-37531Same vendor: Linuxfoundation
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22

Affected Assets

linuxfoundation
kedro
≤ 1.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by requiring validation of user-supplied version strings interpolated into filesystem paths in _get_versioned_path().

prevent

Mitigates the specific flaw by requiring timely remediation through patching to Kedro 1.3.0 where path sanitization is implemented.

prevent

Enforces access controls to block unauthorized file reads outside the intended versioned dataset directory even if traversal paths are constructed.

References