{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35171", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T17:45:45.664Z", "dateUpdated": "2026-04-07T15:10:37.613Z"}, "containers": {"cna": {"title": "Arbitrary Code Execution via Malicious Logging Configuration in Kedro", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r"}], "affected": [{"vendor": "kedro-org", "product": "kedro", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:45:45.664Z"}, "descriptions": [{"lang": "en", "value": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0."}], "source": {"advisory": "GHSA-9cqf-439c-j96r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:07:48.767240Z", "id": "CVE-2026-35171", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:10:37.613Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35171", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T15:07:48.767240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:07:55.111Z"}}], "cna": {"title": "Arbitrary Code Execution via Malicious Logging Configuration in Kedro", "source": {"advisory": "GHSA-9cqf-439c-j96r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kedro-org", "product": "kedro", "versions": [{"status": "affected", "version": "< 1.3.0"}]}], "references": [{"url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r", "name": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:45:45.664Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35171", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:10:37.613Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:45:45.664Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0."}], "id": "CVE-2026-35171", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:43.373", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kedro", "source": "cna", "vendor": "kedro-org"}, "product": "kedro", "vendor": "kedro-org"}], "analysis": {"en": {"generated_at": "2026-04-06T22:05:26.993688+00:00", "value": {"mitigation_remediation": ["Upgrade Kedro to version 1.3.0 or later, which removes the ability to load unvalidated logging configurations."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the Kedro products released by kedro\u2011org. Any deployment using Kedro earlier than version 1.3.0 is susceptible because those releases allow unvalidated logging configurations. Versions 1.3.0 and later contain the fix and are not vulnerable.", "description_and_impact": "A Kedro installation before version 1.3.0 accepts a logging configuration file path through the environment variable KEDRO_LOGGING_CONFIG and loads that file without verification. The logging schema permits the special \"()\" key, which can instantiate arbitrary callables. An attacker who can influence this environment variable can supply a configuration that causes the logging system to execute system commands when the application starts, thereby gaining full control of the running process. This flaw is a classic code\u2011execution vulnerability linked to unsafe deserialization and code injection.", "risk_and_exploitability": "The severity rating of 9.8 indicates a critical risk to confidentiality, integrity, and availability. Exploit likelihood data is not available, but the vulnerability can be triggered simply by setting an environment variable before executing the Kedro process, suggesting a straightforward local or process\u2011level attack vector. Although it is not catalogued as a widely known exploit, the ease of exploitation and high severity make it a priority danger for affected systems."}}}}, "created": "2026-04-07T06:54:52.444734+00:00", "updated": "2026-04-07T09:37:57.484767+00:00", "vendors": ["kedro-org", "kedro-org$PRODUCT$kedro"]}