4 matches found
CVE-2026-35171
Kedro prior to version 1.3.0 is vulnerable to remote code execution via unsafe use of logging.config.dictConfig() with user-controlled input. The logging config path can be set through the KEDRO_LOGGING_CONFIG environment variable and is loaded without validation. The schema allows the special ()...
CVE-2026-35171 Arbitrary Code Execution via Malicious Logging Configuration in Kedro
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special key, which enables arbitrary...
GHSA-9CQF-439C-J96R Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Impact This is a critical remote code execution RCE vulnerability caused by unsafe use of logging.config.dictConfig with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging...
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Impact This is a critical remote code execution RCE vulnerability caused by unsafe use of logging.config.dictConfig with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging...