PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56121 feast-dev CVE debrief

CVE-2026-56121 is a critical vulnerability in Feast, a software framework, that allows unauthenticated remote code execution via gRPC deserialization. The vulnerability exists in Feast versions before 0.63.0 and is caused by the unsafe deserialization of user-defined function bodies in OnDemandFeatureView specs. An attacker can exploit this vulnerability by sending a crafted gRPC request to the registry server, which can lead to the execution of arbitrary OS commands as the Feast service account. The vulnerability has a CVSS score of 9.3 and is considered critical. Feast developers have released a patched version (0.63.0) to address this issue.

Vendor
feast-dev
Product
feast
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-30
Advisory published
2026-06-24
Advisory updated
2026-06-30

Who should care

Organizations using Feast before version 0.63.0 should prioritize patching this vulnerability to prevent potential remote code execution attacks. Security teams and administrators responsible for maintaining Feast deployments should be aware of this critical vulnerability and take immediate action to mitigate the risk.

Technical summary

The vulnerability in Feast arises from the unsafe deserialization of user-defined function bodies in OnDemandFeatureView specs. Specifically, the user_defined_function.body field is decoded from base64 and passed to dill.loads() without any authorization checks. This allows attackers to embed malicious serialized Python objects with arbitrary __reduce__ methods, enabling the execution of OS commands as the Feast service account. The vulnerability is exacerbated by the fact that it can be exploited via unauthenticated gRPC requests to the registry server.

Defensive priority

High priority should be given to patching Feast deployments to version 0.63.0 or later. In the meantime, defenders can consider restricting access to the registry server, monitoring for suspicious gRPC requests, and implementing additional security controls to mitigate the risk of exploitation.

Recommended defensive actions

  • Patch Feast deployments to version 0.63.0 or later
  • Restrict access to the registry server
  • Monitor for suspicious gRPC requests
  • Implement additional security controls to mitigate the risk of exploitation
  • Review and update incident response plans to address potential exploitation

Evidence notes

The CVE-2026-56121 vulnerability was publicly disclosed on June 24, 2026, and has since been modified on June 30, 2026. The vulnerability has a CVSS score of 9.3 and is considered critical. Multiple sources, including Huntr and Vulncheck, have reported on this vulnerability, and Feast developers have released a patched version to address the issue.

Official resources

This article is AI-assisted and based on the supplied source corpus.