{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-3840/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-12T17:20:41.923Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-3840","@id":"https://www.cve.org/CVERecord?id=CVE-2026-3840","description":"A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to escape the intended versioned dataset directory and access files outside the expected path. The issue is also reachable through the CLI via the `--load-versions` parameter, as `_split_load_version"},"products":[{"@id":"cpe:2.3:a:kedro-org:kedro-org\\/kedro:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:kedro-org:kedro-org\\/kedro:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-12T17:20:41.923Z"}]}