CVE-2026-35171
Published: 06 April 2026
Summary
CVE-2026-35171 is a critical-severity Code Injection (CWE-94) vulnerability in Linuxfoundation Kedro. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of the Kedro flaw prior to version 1.3.0 directly prevents exploitation of unsafe logging configuration loading via the KEDRO_LOGGING_CONFIG environment variable.
Requires validation of the user-controlled KEDRO_LOGGING_CONFIG input to block malicious configurations exploiting the "()" key for arbitrary callable instantiation and RCE.
Enforces secure baseline configuration settings for logging components to restrict or validate user-controlled environment variables like KEDRO_LOGGING_CONFIG.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Critical unauthenticated remote code execution vulnerability exploitable over the network via control of the KEDRO_LOGGING_CONFIG environment variable, directly enabling exploitation of public-facing applications.
NVD Description
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key,…
more
which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Deeper analysisAI
CVE-2026-35171 is a critical remote code execution (RCE) vulnerability in Kedro, an open-source toolbox for production-ready data science projects. In versions prior to 1.3.0, Kedro allows the logging configuration file path to be specified via the KEDRO_LOGGING_CONFIG environment variable, which it loads without validation using logging.config.dictConfig(). The logging configuration schema supports a special "()" key that enables arbitrary callable instantiation, allowing attackers to inject malicious configurations that execute arbitrary system commands during application startup. The vulnerability is associated with CWE-94 (Improper Control of Generation of Code) and CWE-502 (Deserialization of Untrusted Data), and it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated attacker with the ability to control the KEDRO_LOGGING_CONFIG environment variable can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation occurs at application startup when the unvalidated logging configuration is processed, enabling arbitrary command execution on the host system. Successful attacks grant high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise in environments where Kedro applications are deployed.
The vulnerability is addressed in Kedro version 1.3.0, which includes fixes to prevent unsafe loading of user-controlled logging configurations. Additional details and mitigation guidance are available in the official security advisory at https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r. Security practitioners should upgrade to 1.3.0 or later and review environment variable controls in deployment pipelines.
Details
- CWE(s)