Kedro-Org Kedro vulnerabilities
4 known vulnerabilities affecting kedro-org/kedro.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2
Vulnerabilities
Page 1 of 1
CVE-2026-35171P2CRITICALCVSS 9.8fixed in 1.3.02026-04-06
CVE-2026-35171 [CRITICAL] CWE-94 CVE-2026-35171: Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging confi
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this
ghsanvdosv
CVE-2024-9701P2CRITICAL≥ 0, < 0.19.92025-03-20
CVE-2024-9701 [CRITICAL] CWE-502 Kedro deserialization vulnerability
Kedro deserialization vulnerability
A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Cr
ghsaosv
CVE-2024-12215P3HIGH≥ 0, ≤ 0.19.82025-03-20
CVE-2024-12215 [HIGH] CWE-20 Kedro allows Remote Code Execution by Pulling Micro Packages
Kedro allows Remote Code Execution by Pulling Micro Packages
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's
ghsaosv
CVE-2026-35167P3HIGHCVSS 8.1fixed in 1.3.02026-04-06
CVE-2026-35167 [HIGH] CWE-22 CVE-2026-35167: Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() meth
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intende
ghsanvdosv