CVE-2026-56121
CRITICAL
NVD
CVSS Score
9.8
Severity
CRITICAL
Published
Jun 24, 2026
Vendor
unknown
Description
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.
References
- https://github.com/feast-dev/feast/commit/835cda8e2c1359f1f496ad72701dbd6a73bdb25a
- https://github.com/feast-dev/feast/releases/tag/v0.63.0
- https://huntr.com/bounties/d64b8111-180b-46ba-afa3-c877fda2ede6
- https://www.vulncheck.com/advisories/feast-unauthenticated-rce-via-applyfeatureview-grpc-deserialization