CVE-2026-35171 Arbitrary Code Execution via Malicious Logging Configuration in Kedro

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special key, which enables arbitrary...

CVE-2026-35171

Kedro is affected by an RCE via unsafe use of logging.config.dictConfig() with user-controlled input. The vulnerability arises because Kedro can read a logging config path from the KEDRO_LOGGING_CONFIG environment variable and load it without validation, allowing the special () key to instantiate...

Kedro has Arbitrary Code Execution via Malicious Logging Configuration

Impact This is a critical remote code execution RCE vulnerability caused by unsafe use of logging.config.dictConfig with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging...

GHSA-9CQF-439C-J96R Kedro has Arbitrary Code Execution via Malicious Logging Configuration

Impact This is a critical remote code execution RCE vulnerability caused by unsafe use of logging.config.dictConfig with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging...