CRITICAL🇵🇱 Wersja polska

CVE-2026-35171

CVSS 9.8v3.1pub. 2026-04-06upd. 2026-04-14

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

🤖 AI Analysis
How it works

Kedro loads the logging configuration file specified by the KEDRO_LOGGING_CONFIG environment variable without any validation of its contents. The logging.config.dictConfig() function supports a special '()' key that allows instantiation of arbitrary callable objects. An attacker can provide a crafted configuration file containing this key, leading to deserialization of untrusted data and execution of arbitrary system commands at application startup. The vulnerability results from a combination of two weaknesses: lack of input validation (CWE-94) and unsafe deserialization (CWE-502).

Impact

An attacker can execute arbitrary code on the server with Kedro process privileges during its startup, leading to full system compromise, data exfiltration, and potential lateral movement within the network.

Mitigation & patch

Kedro should be updated to version 1.3.0 or newer, where the vulnerability has been fixed. Additionally, it is recommended to audit environments for unauthorized modifications of the KEDRO_LOGGING_CONFIG environment variable and restrict the ability to set environment variables by unauthorized parties.

Who is affected

Kedro (Linux Foundation project) in all versions before 1.3.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linuxfoundation Kedro

    APP
    Linuxfoundation
    < 1.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-35167HIGH7.1ten sam produkt

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedr...

CVE-2026-53488CRITICAL9.4ten sam vendor

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 t...

CVE-2026-44477CRITICAL9.4PL ✓ten sam vendor

CloudNativePG: eskalacja uprawnień do superużytkownika PostgreSQL przez metrics exporter

CVE-2026-37531CRITICAL9.8PL ✓ten sam vendor

AGL app-framework-main: Zip Slip + TOCTOU umożliwiają zapis dowolnych plików

CVE-2026-32613CRITICAL9.9PL ✓ten sam vendor

Spinnaker Echo: nieograniczony dostęp SPeL umożliwia RCE