CVE-2026-35171 - Vulnerability Details

- Arbitrary Code Execution via Malicious Logging Configuration in Kedro

Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

Published: 2026-04-06

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kedro, a production‑ready data science toolkit, previously allowed a logging configuration file path to be set through the KEDRO_LOGGING_CONFIG environment variable. The logging configuration schema accepts a special () key that can instantiate arbitrary callables, enabling an attacker to execute system commands when the application starts. This flaw permits attackers to inject malicious code and run arbitrary commands with the same privileges as the Kedro process, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects the Kedro project provided by the Linux Foundation (kedro-org:kedro). All releases prior to version 1.3.0 are impacted, as the unsafe handling of user‑controlled logging configuration exists only in those older builds.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity, while an EPSS score below 1% indicates that exploit attempts are currently rare or not well known. The feature is not listed in the CISA KEV catalog. Exploitation requires an attacker to influence the KEDRO_LOGGING_CONFIG environment variable or supply a malicious logging configuration file that the Kedro process loads during startup. Once the environment variable is set to a file containing a dangerous callable, the attacker can run arbitrary code in the context of the Kedro application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kedro-org

kedro

affected

Version	Status	Constraints
`< 1.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:kedro:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Kedro-org

Kedro

100%

Version	Status	Scheme	Platform
`[0,1.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kedro to version 1.3.0 or later.

Generated by OpenCVE AI on April 14, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9cqf-439c-j96r	Kedro has Arbitrary Code Execution via Malicious Logging Configuration

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00185.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r

History

Tue, 14 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation kedro
CPEs		cpe:2.3:a:linuxfoundation:kedro::::::python::*
Vendors & Products		Linuxfoundation Linuxfoundation kedro

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kedro-org Kedro-org kedro
Vendors & Products		Kedro-org Kedro-org kedro

Mon, 06 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Title		Arbitrary Code Execution via Malicious Logging Configuration in Kedro
Weaknesses		CWE-502 CWE-94
References		https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Kedro-org Kedro

Linuxfoundation Kedro

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T17:45:45.664Z

Updated: 2026-04-07T15:10:37.613Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35171

Vulnrichment

Updated: 2026-04-07T15:07:55.111Z

NVD

Status : Analyzed

Published: 2026-04-06T18:16:43.373

Modified: 2026-04-14T15:36:21.790

Link: CVE-2026-35171

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:41:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object