CVE-2026-56121

Name of the Vulnerable Software and Affected Versions Feast versions prior to 0.63.0

Description An unsafe deserialization issue exists in the registry server that allows unauthenticated or unauthorized attackers to achieve remote code execution. The problem occurs because the user defined function.body field of an OnDemandFeatureView spec is base64-decoded and passed to the dill.loads() function before any authorization checks are performed. Attackers can exploit this by sending a crafted gRPC request containing a malicious serialized Python object with an arbitrary reduce method to execute OS commands as the feast service account.

Recommendations Update to version 0.63.0 or newer.