CVE-2026-35171CRITICAL 9.8EPSS p48.8%

CVE-2026-35171CVE-2026-35171

Description

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.8% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-14

Underlying weaknesses· 2

CWE-94CWE-502

References

  1. https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r

2

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35167
CVE
CVE-2026-34612
CVE
CVE-2026-31231
CVE
CVE-2025-49655
CVE
CVE-2026-30861
CVE
CVE-2025-1550
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.