CVE-2026-35171
published 2026-04-06CVE-2026-35171: Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.0th percentile
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kedro-org | kedro | < 1.3.0 | 1.3.0 |
| kedro-org | kedro | >= 0 < 1.3.0 | 1.3.0 |
| linuxfoundation | kedro | < 1.3.0 | 1.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
ghsa·2026-04-03
CVE-2026-35171 [CRITICAL] CWE-502 Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
### Impact
This is a **critical remote code execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.
Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
---
### Patches
The vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.
#### Fixed in
- Kedro 1.3.0
Users shou
OSV
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
osv·2026-04-03
CVE-2026-35171 [CRITICAL] Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
### Impact
This is a **critical remote code execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.
Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
---
### Patches
The vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.
#### Fixed in
- Kedro 1.3.0
Users shou
No detection rules found.
No public exploits indexed.
2026-04-06
Published