CVE-2026-35171: Kedro <=1.2.0 RCE Vulnerability (CVSS 9.8)
Platform
python
Component
kedro
Fixed in
1.3.0
CVE-2026-35171 is a critical Remote Code Execution (RCE) vulnerability affecting Kedro versions 1.2.0 and earlier. This vulnerability stems from the unsafe use of `logging.config.dictConfig()` with user-controlled input, allowing attackers to execute arbitrary system commands during application startup. The vulnerability is fixed in Kedro version 1.3.0 by introducing validation to reject unsafe configurations.
How to fix
Actualice Kedro a la versión 1.3.0 o superior para mitigar esta vulnerabilidad. La actualización corrige la falta de validación en la configuración de registro, evitando la ejecución de código arbitrario a través de la variable de entorno KEDRO_LOGGING_CONFIG.
Frequently asked questions
What is CVE-2026-35171?
CVE-2026-35171 is a critical Remote Code Execution (RCE) vulnerability in Kedro that allows attackers to execute arbitrary system commands.
Am I affected by CVE-2026-35171?
You are affected if you are using Kedro version 1.2.0 or earlier. This vulnerability allows for remote code execution.
How do I fix CVE-2026-35171?
Upgrade to Kedro version 1.3.0 or later. This version includes a fix that validates logging configurations to prevent arbitrary code execution.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free