Which versions of Feast are affected by CVE-2026-56121?

Feast, an open-source ML feature store, contains a critical vulnerability enabling unauthenticated remote attackers to execute arbitrary commands on production systems.. A patch is available.

Is there a public PoC exploit available for CVE-2026-56121?

Yes, a public proof-of-concept exploit is available for CVE-2026-56121. Prioritise patching immediately.

How to fix or mitigate CVE-2026-56121?

Within 24 hours: Identify all Feast installations and their versions; implement temporary network restrictions (firewall rules limiting registry server access to trusted hosts only) if immediate patching is not feasible; review access logs for suspicious gRPC ApplyFeatureView requests. Within 7 days: Upgrade all Feast instances to version 0.63.0 or later. Within 30 days: Perform forensic analysis of registry server logs for exploitation indicators; audit all systems and data accessed by Feast for signs of compromise; verify patch deployment across all instances and document remediation completion.

Feast CVE-2026-56121

Q: What is the CVSS score of CVE-2026-56121?

CVE-2026-56121 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-38801 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-24 VulnCheck

GHSA-q63x-9pfm-mjx4

Deserialization Python RCE Feast

9.3

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

9.8 CRITICAL

Pre-authorization dill.loads() over a network gRPC request gives AV:N/AC:L/PR:N/UI:N, and arbitrary code execution as the service account yields full C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 24, 2026 - 15:51 vuln.today

Analysis Generated

Jun 24, 2026 - 15:51 vuln.today

DescriptionCVE.org

Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.

Articles & Coverage 1

News Critical RCE in Feast ML Feature Store (Python) - CVE-2026-56121 Jun 24, 2026

AnalysisAI

Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Reach registry gRPC endpoint

Delivery

Craft dill object with malicious __reduce__

Exploit

Base64-encode as user_defined_function.body

Execution

Send ApplyFeatureView request

Persist

Registry calls dill.loads() pre-auth

Impact

Execute OS commands as feast service account

Access

Reach registry gRPC endpoint

Delivery

Craft dill object with malicious __reduce__

Exploit

Base64-encode as user_defined_function.body

Execution

Send ApplyFeatureView request

Persist

Registry calls dill.loads() pre-auth

Impact

Execute OS commands as feast service account

Vulnerability AssessmentAI

Exploitation	Exploitation requires network access to the Feast registry gRPC server and the ability to send an ApplyFeatureView request containing an OnDemandFeatureView whose user_defined_function.body holds a malicious dill-serialized Python object - no authentication is needed because the base64 decode and dill.loads() occur before the authorization check (PR:N confirmed by the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All independent signals point to high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can reach the Feast registry's gRPC endpoint (no credentials needed) crafts a malicious Python object whose __reduce__ method spawns a shell command, dill-serializes it, base64-encodes it, and submits it as the user_defined_function.body of an OnDemandFeatureView in an ApplyFeatureView request. When the registry decodes and calls dill.loads() before checking authorization, the payload executes, running OS commands as the feast service account. …
Remediation	Vendor-released patch: upgrade to Feast 0.63.0 or later (https://github.com/feast-dev/feast/releases/tag/v0.63.0), which contains fix commit 835cda8e2c1359f1f496ad72701dbd6a73bdb25a. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Feast installations and their versions; implement temporary network restrictions (firewall rules limiting registry server access to trusted hosts only) if immediate patching is not feasible; review access logs for suspicious gRPC ApplyFeatureView requests. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-52806 CRITICAL Act Now

9.9 Jun 23

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-config

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2026-56121 vulnerability details – vuln.today

Back