Executive Summary

CVE-2026-35171 is a critical remote code execution vulnerability in the Kedro Python package versions prior to 1.3.0. Kedro allows the logging configuration file path to be set via the environment variable KEDRO_LOGGING_CONFIG, which it loads without validation. The logging configuration schema supports a special () key that enables instantiation of arbitrary callables. An attacker can exploit this by supplying a malicious logging configuration containing the () key, leading to execution of arbitrary system commands during application startup.

This vulnerability arises from unsafe use of Python's logging.config.dictConfig() function with user-controlled input, allowing code injection and deserialization of untrusted data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the affected system. Because it allows remote code execution without requiring privileges or user interaction, an attacker can execute arbitrary system commands during application startup.

• Confidentiality impact: High - attacker can access sensitive data.
• Integrity impact: High - attacker can modify or corrupt data.
• Availability impact: High - attacker can disrupt or disable the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the environment variable KEDRO_LOGGING_CONFIG is set and points to a logging configuration file that contains the special () key, which enables arbitrary callable instantiation.

You can inspect the logging configuration files used by Kedro to see if they include the () key, which is unsafe.

Suggested commands include:

• On Linux or macOS, check if the environment variable is set: `echo $KEDRO_LOGGING_CONFIG`
• If set, inspect the referenced logging configuration file for the presence of the () key, for example: `grep -C 3 '()' /path/to/logging_config.yaml`
• Search your project directory for logging configuration files containing the () key: `grep -r '()' ./`

These steps help identify if the vulnerable logging configuration is in use, which could lead to exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Kedro to version 1.3.0 or later, where the vulnerability is fixed by validating and rejecting unsafe () keys in logging configurations.

If upgrading immediately is not possible, the following mitigations can reduce risk:

• Prevent untrusted input from controlling the KEDRO_LOGGING_CONFIG environment variable.
• Restrict write access to logging configuration files to trusted users only.
• Avoid using externally supplied or dynamically generated logging configuration files.
• Manually validate logging YAML configuration files to ensure they do not contain the () key.

Note that these workarounds reduce but do not eliminate the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code remotely, which can lead to unauthorized access, data breaches, and system compromise.

Such security breaches can result in violations of common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity and confidentiality.

Failure to address this vulnerability could lead to non-compliance due to potential exposure of personal or protected health information, unauthorized data access, and disruption of services.

Therefore, organizations using affected versions of Kedro should upgrade to version 1.3.0 or apply mitigations to reduce the risk and maintain compliance with these regulations.

Useful 0 Not Useful 0