VulnerableCode Package Details - pkg:pypi/kedro@0.19.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-6x1m-q9dg-9ycx Aliases: CVE-2026-35171 GHSA-9cqf-439c-j96r PYSEC-2026-72	Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.	1.3.0 Affected by 0 other vulnerabilities.
VCID-th6m-yd2z-ykba Aliases: CVE-2026-35167 GHSA-6326-w46w-ppjw PYSEC-2026-71	Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.	1.3.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6x1m-q9dg-9ycx
Aliases:
CVE-2026-35171
GHSA-9cqf-439c-j96r
PYSEC-2026-72

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

1.3.0
Affected by 0 other vulnerabilities.

VCID-th6m-yd2z-ykba
Aliases:
CVE-2026-35167
GHSA-6326-w46w-ppjw
PYSEC-2026-71

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.

1.3.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:24:30.392933+00:00	Pypa Importer	Affected by	VCID-6x1m-q9dg-9ycx	https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-72.yaml	38.6.0
2026-06-02T04:24:30.077206+00:00	Pypa Importer	Affected by	VCID-th6m-yd2z-ykba	https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-71.yaml	38.6.0

2026-06-02T04:24:30.392933+00:00

Pypa Importer

Affected by

VCID-6x1m-q9dg-9ycx

https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-72.yaml

38.6.0

2026-06-02T04:24:30.077206+00:00

Pypa Importer

Affected by

VCID-th6m-yd2z-ykba

https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-71.yaml

38.6.0

Next non-vulnerable version	1.3.0
Latest non-vulnerable version	1.3.0
Risk	4.5