GHSA-9cqf-439c-j96r

Source

https://github.com/advisories/GHSA-9cqf-439c-j96r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9cqf-439c-j96r/GHSA-9cqf-439c-j96r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9cqf-439c-j96r

Aliases

CVE-2026-35171

Published

2026-04-03T03:48:48Z

Modified

2026-04-03T04:05:10.738549Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Kedro has Arbitrary Code Execution via Malicious Logging Configuration

Details

Impact

This is a critical Remote Code Execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input.

Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.

Patches

The vulnerability is fixed by introducing validation that rejects the unsafe () factory key in logging configurations before passing them to dictConfig().

Fixed in

Kedro 1.3.0

Users should upgrade to this version as soon as possible.

Workarounds

If upgrading is not immediately possible:

Do not allow untrusted input to control the KEDRO_LOGGING_CONFIG environment variable
Restrict write access to logging configuration files
Avoid using externally supplied or dynamically generated logging configs
Manually validate logging YAML to ensure it does not contain the () key

These mitigations reduce risk but do not fully eliminate it.

Database specific

{
    "cwe_ids": [
        "CWE-94",
        "CWE-502"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-04-03T03:48:48Z"
}

References

Affected packages

PyPI / kedro

Package

Name: kedro; View open source insights on deps.dev
Purl: pkg:pypi/kedro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0

Affected versions

0.*

0.14.0

0.14.1

0.14.2

0.14.3

0.15.0

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

0.15.7

0.15.8

0.15.9

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.16.6

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.17.6

0.17.7

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.18.5

0.18.6

0.18.7

0.18.8

0.18.9

0.18.10

0.18.11

0.18.12

0.18.13

0.18.14

0.19.0

0.19.1

0.19.2

0.19.3

0.19.4

0.19.5

0.19.6

0.19.7

0.19.8

0.19.9

0.19.10

0.19.11

0.19.12

0.19.13

0.19.14

0.19.15

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.1.0

1.1.1

1.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9cqf-439c-j96r/GHSA-9cqf-439c-j96r.json"