CVE-2026-3840 Overview
CVE-2026-3840 is a path traversal vulnerability [CWE-22] in Kedro version 1.2.0, an open-source data pipeline framework maintained by the Linux Foundation. The flaw resides in the _get_versioned_path() method in kedro/io/core.py, which interpolates user-supplied version strings directly into filesystem paths without sanitization. Attackers can supply crafted version strings to escape the intended versioned dataset directory and read files outside the expected path. The issue is also reachable through the command-line interface via the --load-versions parameter, since _split_load_versions() in kedro/framework/cli/utils.py performs no validation.
Critical Impact
A local authenticated user can read arbitrary files, poison dataset versions, and pivot across projects or tenants in shared Kedro environments.
Affected Products
- Linux Foundation Kedro 1.2.0 (Python package)
- Kedro CLI workflows accepting the --load-versions parameter
- Automation or orchestration layers invoking Kedro versioned datasets
Discovery Timeline
- 2026-06-12 - CVE-2026-3840 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-3840
Vulnerability Analysis
Kedro implements dataset versioning by appending a version identifier to a base dataset path. The _get_versioned_path() function in kedro/io/core.py constructs the final filesystem path by interpolating the caller-supplied version string into the path template. The function does not normalize, canonicalize, or reject path separators and traversal sequences within the version string.
An attacker supplies a version value containing ../ sequences. The resulting path resolves to a location outside the intended dataset directory. Kedro then opens the resolved path using the configured filesystem backend, returning file contents to the caller or writing attacker-controlled data to the targeted location.
The same code path is reachable from the CLI. The _split_load_versions() helper in kedro/framework/cli/utils.py parses the --load-versions argument into a mapping of dataset name to version string, then passes the value unchanged to the IO layer. Any user who can invoke kedro run against a project can trigger the traversal.
Root Cause
The root cause is missing input validation on version strings before they are concatenated into filesystem paths. Neither the IO layer nor the CLI parser enforces a whitelist of permitted characters or rejects path separators, parent-directory references, or absolute paths.
Attack Vector
The attacker requires local access and low privileges to invoke Kedro or supply a manifest consumed by an orchestrator. By passing a version string such as ../../etc/passwd through --load-versions or a programmatic API call, the attacker forces the IO layer to resolve a path outside the dataset root. In multi-tenant orchestration environments, this enables cross-project data reads and dataset poisoning. The vulnerability does not affect availability but produces high confidentiality and integrity impact.
No public proof-of-concept exploit is listed in the NVD record. Technical details are available in the Huntr Bug Bounty Report.
Detection Methods for CVE-2026-3840
Indicators of Compromise
- Kedro CLI invocations containing ../, ..\, or absolute paths within --load-versions arguments.
- Dataset version directories containing entries whose names include path separators or traversal tokens.
- Process audit logs showing kedro run accessing files outside the project data/ directory tree.
- Orchestrator job parameters where load_versions mappings carry non-timestamp values.
Detection Strategies
- Parse shell history and CI/CD job definitions for Kedro commands and flag any --load-versions value not matching the expected ISO-8601 timestamp pattern Kedro generates by default.
- Enable filesystem auditing (auditd, EDR file telemetry) on Kedro project roots and alert when the kedro process opens files outside the declared project directory.
- Review orchestration platform (Airflow, Argo, Prefect) task parameters that feed Kedro for untrusted user-supplied version strings.
Monitoring Recommendations
- Monitor Python process telemetry for kedro invocations and capture full command lines for offline analysis.
- Alert on read attempts against sensitive paths (/etc, home directories, secrets mounts) originating from accounts that run Kedro pipelines.
- Track changes to versioned dataset directories and flag writes where the version identifier deviates from the configured naming scheme.
How to Mitigate CVE-2026-3840
Immediate Actions Required
- Inventory hosts and container images running Kedro 1.2.0 and identify any pipeline that exposes --load-versions to untrusted input.
- Restrict execution of Kedro projects to dedicated, least-privilege service accounts that cannot read sensitive system files.
- Validate version strings at the application boundary using a strict regular expression such as ^[0-9T:.\-Z]+$ before invoking Kedro.
- Review orchestrator definitions and remove any user-controllable path into the load_versions parameter.
Patch Information
No fixed version is referenced in the NVD entry at the time of publication. Track the Huntr Bug Bounty Report and the Kedro project release notes for an updated build, and upgrade once a patched version is published.
Workarounds
- Wrap calls to Kedro datasets with a validator that rejects any version string containing /, \, .., or a leading path separator.
- Run Kedro inside a container or chroot whose filesystem exposes only the intended project directory, limiting traversal scope.
- Disable the --load-versions flag in CI/CD wrappers and pin dataset versions through trusted configuration files committed to source control.
# Configuration example: reject malformed version strings before invoking Kedro
VERSION="$1"
if ! [[ "$VERSION" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}\.[0-9]{2}\.[0-9]{2}\.[0-9]{3}Z$ ]]; then
echo "Rejected version string: $VERSION" >&2
exit 1
fi
kedro run --load-versions "dataset:${VERSION}"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

