{"id":"CVE-2026-56121","summary":"Feast \u003c 0.63.0 Unauthenticated RCE via ApplyFeatureView gRPC Deserialization","details":"Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.","modified":"2026-07-16T03:31:01.055304187Z","published":"2026-06-24T14:49:11.490Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-502"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56121.json"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-56121.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-56121"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56121.json"},{"type":"ADVISORY","url":"https://github.com/feast-dev/feast/releases/tag/v0.63.0"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56121"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/feast-unauthenticated-rce-via-applyfeatureview-grpc-deserialization"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492229"},{"type":"FIX","url":"https://github.com/feast-dev/feast/commit/835cda8e2c1359f1f496ad72701dbd6a73bdb25a"},{"type":"PACKAGE","url":"https://github.com/feast-dev/feast"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/d64b8111-180b-46ba-afa3-c877fda2ede6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/feast-dev/feast","events":[{"introduced":"0"},{"fixed":"50ad181b420a8c95cdd421d3908d298fd355b1b5"},{"fixed":"835cda8e2c1359f1f496ad72701dbd6a73bdb25a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.63.0"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v0.62.0","v0.60.0","v0.59.0","v0.58.0","v0.54.0","v0.57.0","v0.56.0","v0.55.0","v0.53.0","v0.52.0","v0.51.0","v0.50.0","v0.49.0","v0.48.0","v0.47.0","v0.46.0","v0.45.0","v0.44.0","v0.43.0","v0.42.0","v0.41.0","v0.40.0","v0.39.0","v0.38.0","v0.37.0","v0.36.0","v0.35.0","v0.34.0","v0.33.0","v0.32.0","v0.31.0","v0.30.0","v0.29.0","v0.28.0","v0.27.0","v0.26.0","v0.25.0","v0.24.0","v0.23.0","v0.22.0","v0.21.0","v0.20.0","v0.19.0","v0.18.0","v0.17.0","v0.16.0","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.9.0-rc.2","v0.9.0-rc.1","v0.8.0","sdk/go/v0.8.0","v0.8.0-rc.3","v0.8.0-rc.2","v0.8.0-rc.1","v0.6.0","v0.5.0","v0.4.2","v0.4.1","v0.4.0","v0.3.2","v0.3.0","v0.1.1","v0.1.0","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56121.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}