Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-35171

Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Back to all
CVE

CVE-2026-35171

Kedro has Arbitrary Code Execution via Malicious Logging Configuration

Impact

This is a critical Remote Code Execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input.

Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.

---

Patches

The vulnerability is fixed by introducing validation that rejects the unsafe () factory key in logging configurations before passing them to dictConfig().

Fixed in

  • Kedro 1.3.0

Users should upgrade to this version as soon as possible.

---

Workarounds

If upgrading is not immediately possible:

  • Do not allow untrusted input to control the KEDROLOGGINGCONFIG environment variable  
  • Restrict write access to logging configuration files  
  • Avoid using externally supplied or dynamically generated logging configs  
  • Manually validate logging YAML to ensure it does not contain the () key  

These mitigations reduce risk but do not fully eliminate it.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r, https://github.com/kedro-org/kedro

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
1.3.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading