CVE-2026-35171

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 07, 2026

CWE ID

CWE-94

Source

GitHub

Vendor

pip

Product

kedro

External References

https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r
https://github.com/advisories/GHSA-9cqf-439c-j96r

CVE-2026-35171

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment