8 matches found
CVE-2026-23537 Feast: unauthenticated arbitrary file write
A vulnerability has been identified in the Feast Feature Server’s /save-document endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling a...
CVE-2026-56121
A flaw was found in Feast. This vulnerability allows unauthenticated or unauthorized attackers to achieve remote code execution. By sending a specially crafted gRPC request to the registry server, attackers can exploit an unsafe deserialization process. This enables them to execute operating syst...
PT-2026-51837
Name of the Vulnerable Software and Affected Versions Feast versions prior to 0.63.0 Description An unsafe deserialization issue exists in the registry server that allows unauthenticated or unauthorized attackers to achieve remote code execution. By sending a crafted gRPC request, an attacker can...
Allocation of Resources Without Limits or Throttling
Overview feast is a Python SDK for Feast Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebSocket endpoint. An attacker can exhaust server resources, including memory, CPU, and file descriptors, by establishing a large number of...
Missing Authorization
Overview feast is a Python SDK for Feast Affected versions of this package are vulnerable to Missing Authorization via the /save-document endpoint. An attacker can modify system files, overwrite configuration or startup scripts, or execute arbitrary code by sending crafted requests to write...
elemeno-ai-sdk (>=0.0.77 <=0.6.11), elemeno-mlops-cli (>=0.0.1 <=0.0.4) +22 more potentially affected by CVE-2026-23537 via feast (>=0.14.1 <=0.49.0)
feast PYPI version =0.14.1, =0.0.77, =0.0.1, =0.1.0, =0.3.0, =0.0.2, =1.0.0, =0.1.0, =0.1.33, =0.1.0, =0.6.19 and more Source cves: CVE-2026-23537 Source advisory: SNYK:PYTHON-FEAST-15857152...
GHSA-34WM-4HW7-QFJV Feast vulnerable to Deserialization of Untrusted Data
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at feast/sdk/python/feast/infra/computeengines/kubernetes/main.py. The vulnerability arises from the use of yaml.load..., Loader=yaml.Loader to...
elemeno-ai-sdk (>=0.0.77 <=0.6.11), elemeno-mlops-cli (>=0.0.1 <=0.0.4) +22 more potentially affected by CVE-2025-11157 via feast (>=0.14.1 <=0.49.0)
feast PYPI version =0.14.1, =0.0.77, =0.0.1, =0.1.0, =0.3.0, =0.0.2, =1.0.0, =0.1.0, =0.1.33, =0.1.0, =0.6.19 and more Source cves: CVE-2025-11157 Source advisory: SNYK:PYTHON-FEAST-14830622...