Remote Code Execution Vulnerability in Kedro Data Science Toolbox
CVE-2026-35171

9.8CRITICAL

Key Information:

Vendor: Kedro-org
Status: Kedro
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35171?

The Kedro data science toolbox is susceptible to a serious vulnerability where the logging configuration file path can be set through an environment variable. This issue arises from the unsafe handling of user-controlled input, enabling an attacker to execute arbitrary system commands upon application startup. This exploit leverages the logging configuration schema's special key, posing significant security risks before the resolution implemented in version 1.3.0.

Affected Version(s)

kedro < 1.3.0

References

https://github.com/kedro-org/kedro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35171 Data

JSON

Kedro-org

What is CVE-2026-35171?

Affected Version(s)

References

CVSS V3.1

Timeline