PT-2026-30019 · Kedro · Kedro
Wernerina
·
Published
2026-04-03
·
Updated
2026-04-06
·
CVE-2026-35171
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kedro versions prior to 1.3.0
Description
Kedro is susceptible to a critical Remote Code Execution (RCE) issue stemming from the unsafe utilization of
logging.config.dictConfig() with user-controlled input. The software permits setting the logging configuration file path through the KEDRO LOGGING CONFIG environment variable, loading it without proper validation. The logging configuration schema supports a special () key, which allows for the instantiation of arbitrary callables. An attacker can leverage this to execute arbitrary system commands during application startup. The vulnerability is addressed by implementing validation to reject the unsafe () factory key in logging configurations before passing them to dictConfig().Recommendations
Upgrade to Kedro version 1.3.0 or later.
If upgrading is not immediately possible:
- Do not allow untrusted input to control the
KEDRO LOGGING CONFIGenvironment variable. - Restrict write access to logging configuration files.
- Avoid using externally supplied or dynamically generated logging configurations.
- Manually validate logging YAML to ensure it does not contain the
()key.
Fix
RCE
Deserialization of Untrusted Data
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kedro