PYSEC-2026-1485

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-1485.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1485
Aliases
Published
2026-07-07T14:34:53.006019Z
Modified
2026-07-07T17:47:30.001341001Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Kedro allows Remote Code Execution by Pulling Micro Packages
Details

In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.

References

Affected packages

PyPI / kedro

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.19.8

Affected versions

0.*
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.17.7
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.18.8
0.18.9
0.18.10
0.18.11
0.18.12
0.18.13
0.18.14
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.19.8

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/kedro/PYSEC-2026-1485.yaml"