CVE-2026-35171
Published April 6, 2026 · Updated April 7, 2026
What This Means
CVE-2026-35171 is a critical remote code execution (RCE) vulnerability affecting Kedro versions prior to 1.3.0. This flaw allows an attacker to set a path for the logging configuration file via the KEDRO_LOGGING_CONFIG environment variable, leading to the execution of arbitrary system commands during application startup. Upgrade to Kedro version 1.3.0 or later to mitigate this vulnerability.
Official Description+
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-35171.