cbcvebase.
CVE-2026-56121
published 2026-06-24

CVE-2026-56121: Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.86%
54.0th percentile
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.

Affected

15 ranges
VendorProductVersion rangeFixed in
feast-devfeast< 0.63.00.63.0
rhoaiodh-feature-server-rhel9
rhoaiodh-pipeline-runtime-datascience-cpu-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-pytorch-rocm-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-cuda-py312-rhel9
rhoaiodh-pipeline-runtime-tensorflow-rocm-py312-rhel9
rhoaiodh-workbench-codeserver-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-datascience-cpu-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-pytorch-rocm-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-cuda-py312-rhel9
rhoaiodh-workbench-jupyter-tensorflow-rocm-py312-rhel9

Detection & IOCsextracted from sources · hover to see the quote

port6570
commandfeast serve_registry
  • Monitor gRPC traffic to the Feast registry server (port 6570) for requests containing an OnDemandFeatureView spec with a `user_defined_function.body` field. A base64-encoded dill-serialized payload in this field is the attack vector; flag any such requests from unauthenticated or unexpected sources.
  • Alert on `dill.loads()` being called with externally-supplied data in the Feast registry server process. Process-level monitoring (e.g., auditd, eBPF) for the feast service account spawning unexpected child processes (OS command execution) is a strong post-exploitation indicator.
  • Exploitation requires the registry server to be explicitly started (`feast serve_registry`). Inventory all deployments for the presence of this process; default online-only (`feast serve`) deployments are NOT vulnerable.
  • In OpenShift AI environments, flag any FeatureStore custom resource configured with `registry.local.server` as this activates the vulnerable gRPC endpoint.
  • ·Enabling authorization on the Feast registry server does NOT mitigate this vulnerability because the unsafe `dill.loads()` deserialization occurs BEFORE any authorization check is performed.
  • ·Default OpenShift AI installations are NOT exploitable out-of-the-box: the Feast operator is deployed but no FeatureStore instance or registry server is started by default. Only explicitly configured registry servers are at risk.
  • ·Workbench and pipeline runtime images include Feast as a client library only and do not start a registry server, so they are not directly exploitable via this CVE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.