PatchSiren cyber security CVE debrief
CVE-2026-56121 feast-dev CVE debrief
CVE-2026-56121 is a critical vulnerability in Feast, a software framework, that allows unauthenticated remote code execution via gRPC deserialization. The vulnerability exists in Feast versions before 0.63.0 and is caused by the unsafe deserialization of user-defined function bodies in OnDemandFeatureView specs. An attacker can exploit this vulnerability by sending a crafted gRPC request to the registry server, which can lead to the execution of arbitrary OS commands as the Feast service account. The vulnerability has a CVSS score of 9.3 and is considered critical. Feast developers have released a patched version (0.63.0) to address this issue.
- Vendor
- feast-dev
- Product
- feast
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-30
Who should care
Organizations using Feast before version 0.63.0 should prioritize patching this vulnerability to prevent potential remote code execution attacks. Security teams and administrators responsible for maintaining Feast deployments should be aware of this critical vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability in Feast arises from the unsafe deserialization of user-defined function bodies in OnDemandFeatureView specs. Specifically, the user_defined_function.body field is decoded from base64 and passed to dill.loads() without any authorization checks. This allows attackers to embed malicious serialized Python objects with arbitrary __reduce__ methods, enabling the execution of OS commands as the Feast service account. The vulnerability is exacerbated by the fact that it can be exploited via unauthenticated gRPC requests to the registry server.
Defensive priority
High priority should be given to patching Feast deployments to version 0.63.0 or later. In the meantime, defenders can consider restricting access to the registry server, monitoring for suspicious gRPC requests, and implementing additional security controls to mitigate the risk of exploitation.
Recommended defensive actions
- Patch Feast deployments to version 0.63.0 or later
- Restrict access to the registry server
- Monitor for suspicious gRPC requests
- Implement additional security controls to mitigate the risk of exploitation
- Review and update incident response plans to address potential exploitation
Evidence notes
The CVE-2026-56121 vulnerability was publicly disclosed on June 24, 2026, and has since been modified on June 30, 2026. The vulnerability has a CVSS score of 9.3 and is considered critical. Multiple sources, including Huntr and Vulncheck, have reported on this vulnerability, and Feast developers have released a patched version to address the issue.
Official resources
-
CVE-2026-56121 CVE record
CVE.org
-
CVE-2026-56121 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.