CVE-2026-56121
published 2026-06-24CVE-2026-56121: Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.86%
54.0th percentile
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| feast-dev | feast | < 0.63.0 | 0.63.0 |
| rhoai | odh-feature-server-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-codeserver-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-datascience-cpu-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-pytorch-rocm-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-cuda-py312-rhel9 | — | — |
| rhoai | odh-workbench-jupyter-tensorflow-rocm-py312-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor gRPC traffic to the Feast registry server (port 6570) for requests containing an OnDemandFeatureView spec with a `user_defined_function.body` field. A base64-encoded dill-serialized payload in this field is the attack vector; flag any such requests from unauthenticated or unexpected sources. ↗
- →Alert on `dill.loads()` being called with externally-supplied data in the Feast registry server process. Process-level monitoring (e.g., auditd, eBPF) for the feast service account spawning unexpected child processes (OS command execution) is a strong post-exploitation indicator. ↗
- →Exploitation requires the registry server to be explicitly started (`feast serve_registry`). Inventory all deployments for the presence of this process; default online-only (`feast serve`) deployments are NOT vulnerable. ↗
- →In OpenShift AI environments, flag any FeatureStore custom resource configured with `registry.local.server` as this activates the vulnerable gRPC endpoint. ↗
- ·Enabling authorization on the Feast registry server does NOT mitigate this vulnerability because the unsafe `dill.loads()` deserialization occurs BEFORE any authorization check is performed. ↗
- ·Default OpenShift AI installations are NOT exploitable out-of-the-box: the Feast operator is deployed but no FeatureStore instance or registry server is started by default. Only explicitly configured registry servers are at risk. ↗
- ·Workbench and pipeline runtime images include Feast as a client library only and do not start a registry server, so they are not directly exploitable via this CVE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the reg
ghsa_unreviewed·2026-06-24
CVE-2026-56121 [CRITICAL] CWE-502 Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the reg
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.
Red Hat
feast: Feast: Remote Code Execution via Unsafe Deserialization in gRPC Registry Server
vendor_redhat·2026-06-24·CVSS 9.8
CVE-2026-56121 [CRITICAL] CWE-502 feast: Feast: Remote Code Execution via Unsafe Deserialization in gRPC Registry Server
feast: Feast: Remote Code Execution via Unsafe Deserialization in gRPC Registry Server
A flaw was found in Feast. This vulnerability allows unauthenticated or unauthorized attackers to achieve remote code execution. By sending a specially crafted gRPC request to the registry server, attackers can exploit an unsafe deserialization process. This enables them to execute operating system commands as the Feast service account, leading to a complete compromise of the affected system.
Statement: Red Hat OpenShift AI ships Feast versions affected by CVE-2026-56121. This flaw allows remote code execution only against the Feast registry gRPC server (feast serve_registry, port 6570) when that service is running and reachable.
Default OpenShift AI installations are not affected. Installing OpenShift
No detection rules found.
No public exploits indexed.
https://github.com/feast-dev/feast/commit/835cda8e2c1359f1f496ad72701dbd6a73bdb25ahttps://github.com/feast-dev/feast/releases/tag/v0.63.0https://huntr.com/bounties/d64b8111-180b-46ba-afa3-c877fda2ede6https://www.vulncheck.com/advisories/feast-unauthenticated-rce-via-applyfeatureview-grpc-deserializationhttps://access.redhat.com/security/cve/CVE-2026-56121https://bugzilla.redhat.com/show_bug.cgi?id=2492229https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-56121.json
2026-06-24
Published