Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Kedro: Untrusted Logging Config Can Run Malicious Code
GHSA-9cqf-439c-j96r
CVE-2026-35171
Summary
An attacker can exploit a configuration file vulnerability in Kedro to run malicious code during application startup. This can happen if an attacker controls the KEDRO_LOGGING_CONFIG environment variable. To fix this, update to Kedro 1.3.0 or use workarounds like restricting access to the configuration file or validating its content manually.
What to do
- Update kedro to version 1.3.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | kedro | <= 1.3.0 | 1.3.0 |
Original title
Kedro has Arbitrary Code Execution via Malicious Logging Configuration
Original description
### Impact
This is a **critical Remote Code Execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.
Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
---
### Patches
The vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.
#### Fixed in
- Kedro 1.3.0
Users should upgrade to this version as soon as possible.
---
### Workarounds
If upgrading is not immediately possible:
- Do not allow untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable
- Restrict write access to logging configuration files
- Avoid using externally supplied or dynamically generated logging configs
- Manually validate logging YAML to ensure it does not contain the `()` key
These mitigations reduce risk but do not fully eliminate it.
This is a **critical Remote Code Execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.
Kedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
---
### Patches
The vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.
#### Fixed in
- Kedro 1.3.0
Users should upgrade to this version as soon as possible.
---
### Workarounds
If upgrading is not immediately possible:
- Do not allow untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable
- Restrict write access to logging configuration files
- Avoid using externally supplied or dynamically generated logging configs
- Manually validate logging YAML to ensure it does not contain the `()` key
These mitigations reduce risk but do not fully eliminate it.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-94
Code Injection
CWE-502
Deserialization of Untrusted Data
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026