Platform
python
Component
kedro
Fixed in
1.3.1
1.3.0
CVE-2026-35171 is a critical Remote Code Execution (RCE) vulnerability affecting Kedro versions 1.2.0 and earlier. This vulnerability stems from the unsafe use of logging.config.dictConfig() with user-controlled input, allowing attackers to execute arbitrary system commands during application startup. The vulnerability is fixed in Kedro version 1.3.0 by introducing validation to reject unsafe configurations.
CVE-2026-35171 is a critical remote code execution (RCE) vulnerability in Kedro, stemming from the unsafe use of logging.config.dictConfig() with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application execution, potentially compromising the confidentiality, integrity, and availability of the system.
An attacker could exploit this vulnerability by setting the KEDROLOGGINGCONFIG environment variable to point to a malicious logging configuration file. This file could contain an arbitrary call that executes system commands. Since Kedro loads this configuration without validation, the call would be executed with the privileges of the Kedro process. This could allow an attacker to gain control of the system or access sensitive data. The ease of exploitation lies in the simplicity of manipulating the environment variable and the lack of validation within Kedro.
Exploit Status
EPSS
0.40% (60% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35171 is to upgrade Kedro to version 1.3.0 or later. This version includes a fix that validates the logging configuration and prevents arbitrary code execution. If an immediate upgrade is not possible, it is recommended to avoid using the KEDROLOGGINGCONFIG environment variable and instead configure logging directly within the application code. Additionally, review and validate any existing logging configuration files to ensure they do not contain malicious configurations. Monitoring system logs for suspicious activity can also help detect and respond to potential attacks.
Actualice Kedro a la versión 1.3.0 o superior para mitigar esta vulnerabilidad. La actualización corrige la falta de validación en la configuración de registro, evitando la ejecución de código arbitrario a través de la variable de entorno KEDRO_LOGGING_CONFIG.
Vulnerability analysis and critical alerts directly to your inbox.
It's a remote code execution (RCE) vulnerability in Kedro that allows an attacker to execute arbitrary commands on the system.
Upgrade Kedro to version 1.3.0 or later. If that's not possible, avoid using KEDROLOGGINGCONFIG and configure logging directly in the code.
An attacker could gain control of the system, access sensitive data, or disrupt service.
It's a Python function used to configure the logging system. The vulnerability lies in its ability to execute arbitrary code if used with unvalidated input.
Currently, there are no specific tools to detect this vulnerability. It's recommended to review Kedro code and configuration for potential issues.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.