Publish GHSA-9cqf-439c-j96r

advisory-database[bot] · advisory-database[bot] · commit be3a2fe4d5f3 · 2026-04-07T17:06:39.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-9cqf-439c-j96r/GHSA-9cqf-439c-j96r.json b/advisories/github-reviewed/2026/04/GHSA-9cqf-439c-j96r/GHSA-9cqf-439c-j96r.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cqf-439c-j96r",
-  "modified": "2026-04-06T23:41:20Z",
+  "modified": "2026-04-07T17:04:40Z",
   "published": "2026-04-03T03:48:48Z",
   "aliases": [
     "CVE-2026-35171"
   ],
   "summary": "Kedro has Arbitrary Code Execution via Malicious Logging Configuration",
-  "details": "### Impact\n\nThis is a **critical Remote Code Execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.\n\nKedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.\n\n---\n\n### Patches\n\nThe vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.\n\n#### Fixed in\n- Kedro 1.3.0\n\nUsers should upgrade to this version as soon as possible.\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n- Do not allow untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable  \n- Restrict write access to logging configuration files  \n- Avoid using externally supplied or dynamically generated logging configs  \n- Manually validate logging YAML to ensure it does not contain the `()` key  \n\nThese mitigations reduce risk but do not fully eliminate it.",
+  "details": "### Impact\n\nThis is a **critical remote code execution (RCE)** vulnerability caused by unsafe use of `logging.config.dictConfig()` with user-controlled input.\n\nKedro allows the logging configuration file path to be set via the `KEDRO_LOGGING_CONFIG` environment variable and loads it without validation. The logging configuration schema supports the special `()` key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.\n\n---\n\n### Patches\n\nThe vulnerability is fixed by introducing validation that rejects the unsafe `()` factory key in logging configurations before passing them to `dictConfig()`.\n\n#### Fixed in\n- Kedro 1.3.0\n\nUsers should upgrade to this version as soon as possible.\n\n---\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n- Do not allow untrusted input to control the `KEDRO_LOGGING_CONFIG` environment variable  \n- Restrict write access to logging configuration files  \n- Avoid using externally supplied or dynamically generated logging configs  \n- Manually validate logging YAML to ensure it does not contain the `()` key  \n\nThese mitigations reduce risk but do not fully eliminate it.\n\n---\n\n### References\n\n- Python logging configuration documentation: https://docs.python.org/3/library/logging.config.html#logging-config-dictschema  \n- CWE-94: Code Injection — https://cwe.mitre.org/data/definitions/94.html",
   "severity": [
     {
       "type": "CVSS_V3",
