PYSEC-2026-1366

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/feast/PYSEC-2026-1366.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1366
Aliases
Published
2026-07-07T16:03:14.611825Z
Modified
2026-07-07T17:47:13.124877584Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Feast vulnerable to Deserialization of Untrusted Data
Details

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py. The vulnerability arises from the use of yaml.load(..., Loader=yaml.Loader) to deserialize /var/feast/feature_store.yaml and /var/feast/materialization_config.yaml. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

References

Affected packages

PyPI / feast

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.54.0

Affected versions

0.*
0.1.0
0.1.0.post0
0.1.2
0.1.2.post0
0.1.2.post1
0.3.0
0.3.2
0.3.3
0.3.3.post0
0.3.4
0.3.5
0.3.6
0.3.7
0.4.0
0.4.1
0.4.1.post0
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.5.0rc0
0.5.0
0.5.0.post0
0.5.1
0.6.0
0.6.1
0.6.2
0.7.0rc1
0.7.0rc2
0.7.0rc3
0.7.0
0.7.1
0.7.2
0.8.0rc3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0rc1
0.9.0rc2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.5.1
0.9.5.2
0.9.6
0.9.7
0.9.8
0.9.9
0.10.0
0.10.1rc1
0.10.1rc3
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.11.0
0.12.0
0.12.1
0.13.0
0.14.0
0.14.1
0.15.0
0.15.1
0.16.0
0.16.1
0.17.0
0.18.0
0.18.1
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1
0.21.2
0.21.3
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.23.0
0.23.1
0.23.2
0.24.0
0.24.1
0.25.0
0.25.1
0.25.2
0.26.0
0.27.0
0.27.1
0.28.0
0.29.0
0.30.2
0.31.0
0.31.1
0.33.1
0.34.0
0.34.1
0.35.0
0.36.0
0.37.1
0.38.0
0.39.0
0.39.1
0.40.0
0.40.1
0.41.3
0.42.0
0.43.0
0.44.0
0.45.0
0.46.0
0.47.0
0.48.0
0.48.1
0.49.0
0.50.0
0.51.0
0.52.0
0.53.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/feast/PYSEC-2026-1366.yaml"