CVE-2026-35171

CRITICAL

Arbitrary Code Execution via Malicious Logging Configuration in Kedro

Title source: cna

Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

References (1)

[X_Refsource_Confirm] https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r

Scores

CVSS v3 9.8

EPSS 0.0019

EPSS Percentile 39.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502 CWE-94

Status published

Products (3)

kedro-org/kedro < 1.3.0

linuxfoundation/kedro < 1.3.0

pypi/kedro 0 - 1.3.0PyPI

Published Apr 06, 2026

Tracked Since Apr 06, 2026