CVE-2026-35171
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
This is a critical Remote Code Execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input.
Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
---
Patches
The vulnerability is fixed by introducing validation that rejects the unsafe () factory key in logging configurations before passing them to dictConfig().
Fixed in
- Kedro 1.3.0
Users should upgrade to this version as soon as possible.
---
Workarounds
If upgrading is not immediately possible:
- Do not allow untrusted input to control the
KEDRO_LOGGING_CONFIGenvironment variable - Restrict write access to logging configuration files
- Avoid using externally supplied or dynamically generated logging configs
- Manually validate logging YAML to ensure it does not contain the
()key
These mitigations reduce risk but do not fully eliminate it.
AnalysisAI
Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a
Technical ContextAI
This vulnerability exploits a dangerous feature in Python's standard library logging configuration mechanism. The logging.config.dictConfig() function supports a special '()' key that dynamically instantiates arbitrary Python callables during configuration parsing. Kedro, a popular data pipeline framework (pkg:pip/kedro), reads logging configuration from a file path specified via the KEDRO_LOGGING_CONFIG environment variable without validating the configuration contents before passing to dictConfig(). An attacker who can control this environment variable or write to the referenced configuration file can inject a malicious logging configuration containing entries like '()': 'os.system' or '()': 'subprocess.Popen' with arbitrary command arguments. This triggers code execution during the logging subsystem initialization at application startup, before any application-level security controls are active. The root cause is CWE-94 (Improper Control of Generation of Code), specifically unsafe deserialization of configuration data that supports executable directives. This pattern has affected other Python frameworks and represents a broader ecosystem risk wherever dictConfig() processes untrusted input.
RemediationAI
Upgrade immediately to Kedro version 1.3.0 or later, which introduces validation to reject the unsafe '()' factory key in logging configurations before processing with dictConfig(). Organizations can install the patched version using pip: 'pip install --upgrade kedro>=1.3.0' and verify installation with 'pip show kedro'. For environments where immediate upgrading is not feasible, implement defense-in-depth mitigations: restrict write permissions on all logging configuration files to trusted system accounts only; prevent untrusted input from controlling the KEDRO_LOGGING_CONFIG environment variable through input validation, environment variable allowlisting in container orchestration, and least-privilege execution contexts; audit all existing logging configuration YAML files to ensure they do not contain the '()' key; and implement runtime monitoring for unexpected child processes spawned by Kedro applications. In containerized deployments, use read-only filesystems for configuration directories and explicitly set KEDRO_LOGGING_CONFIG to a known-safe path in the container image rather than accepting it from external sources. These workarounds reduce attack surface but do not provide complete protection-upgrading to the patched version remains the only definitive remediation. Consult the official GitHub advisory (https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r) for additional vendor guidance and subscribe to Kedro security announcements for future updates.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9cqf-439c-j96r