CVE-2026-35171

CVE-2026-35171 is a critical remote code execution (RCE) vulnerability in Kedro, an open-source toolbox for production-ready data science projects. In versions prior to 1.3.0, Kedro allows the logging configuration file path to be specified via the KEDRO_LOGGING_CONFIG environment variable, which it loads without validation using logging.config.dictConfig(). The logging configuration schema supports a special "()" key that enables arbitrary callable instantiation, allowing attackers to inject malicious configurations that execute arbitrary system commands during application startup. The vulnerability is associated with CWE-94 (Improper Control of Generation of Code) and CWE-502 (Deserialization of Untrusted Data), and it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with the ability to control the KEDRO_LOGGING_CONFIG environment variable can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation occurs at application startup when the unvalidated logging configuration is processed, enabling arbitrary command execution on the host system. Successful attacks grant high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise in environments where Kedro applications are deployed.

The vulnerability is addressed in Kedro version 1.3.0, which includes fixes to prevent unsafe loading of user-controlled logging configurations. Additional details and mitigation guidance are available in the official security advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r. Security practitioners should upgrade to 1.3.0 or later and review environment variable controls in deployment pipelines.