PatchSiren cyber security CVE debrief

CVE-2026-3840 kedro-org CVE debrief

A high-severity path traversal vulnerability exists in Kedro version 1.2.0. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization, allowing an attacker to escape the intended versioned dataset directory and access files outside the expected path. This issue is also reachable through the CLI via the `--load-versions` parameter, as `_split_load_versions()` in `kedro/framework/cli/utils.py` does not validate the version string. Successful exploitation can lead to unauthorized file reads, data poisoning, cross-project or cross-tenant data access, and broader downstream impacts in environments where Kedro is used with automation or orchestration layers.

Vendor: kedro-org
Product: kedro-org/kedro
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Users of Kedro version 1.2.0, especially those using it with automation or orchestration layers, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the `_get_versioned_path()` method in `kedro/io/core.py` and the `_split_load_versions()` method in `kedro/framework/cli/utils.py`. The CVSS score for this vulnerability is 7.1, indicating a high severity.

Defensive priority

High

Recommended defensive actions

Upgrade to a patched version of Kedro.
Implement input validation and sanitization for version strings.
Use secure practices when working with filesystem paths.

Evidence notes

Evidence for this vulnerability comes from the CVE record and the NVD detail page. [cve-org] [nvd]

Official resources

CVE-2026-3840 was published on 2026-06-12T17:16:22.603Z and modified on 2026-06-12T18:16:33.480Z.