CVE-2026-35171Linuxfoundation · Kedro
Vulnerability data via NVD (ingested)
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-35171product:"Linuxfoundation Kedro"http.html:"Kedro"More intel sources (5)
vuln:CVE-2026-35171vulnerabilities.cve_id: CVE-2026-35171CVE-2026-35171CVE-2026-35171"CVE-2026-35171" exploit -site:nvd.nist.gov