How is CVE-2026-56121 exploited?

Network reachability (required): The Feast registry server must be reachable over the network; an attacker sends a crafted gRPC request directly to it from any network-accessible position. Authentication (not-required): No credentials or account of any kind are needed; the vulnerable dill.loads() call executes before any authorization check is performed. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or operator of the affected system. Attack complexity (info): Attack complexity is low; the exploit is reliable and condition-free, requiring only a single crafted gRPC request with a malicious serialized Python object in the user_defined_function.body field.

What is the impact of CVE-2026-56121?

Attacker executes arbitrary OS commands as the Feast service account, gaining full control of the registry server process. All feature store data readable by the service account, including stored feature definitions and any secrets accessible from the process environment, is exposed. The attacker can modify or delete persisted feature view registrations, corrupting the feature store state for downstream ML pipelines. The registry server process can be crashed or held under the attacker's control, disrupting feature serving for all dependent workloads.

Back to search

CRITICALCVE-2026-56121Published 2026-06-24Modified 2026-06-24CNA VulnCheck

CVE-2026-56121: Feast < 0.63.0 Unauthenticated RCE via ApplyFeatureView gRPC Deserialization

Q: What is CVE-2026-56121?

An unsafe deserialization vulnerability in Feast (the open-source feature store), present in versions before 0.63.0, allows an unauthenticated remote attacker to execute arbitrary operating system commands on the registry server. The flaw is reached over the network with no credentials required: the registry server decodes and deserializes a user-supplied field via dill.loads() before performing any authorization check, meaning a crafted gRPC request is all that is needed. Successful exploitation gives the attacker full remote code execution as the Feast service account, with high-confidence impact on confidentiality, integrity, and availability of the host. A patched-image rebuild at version 0.63.0 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-56121 fixed?

A patched-image rebuild pinned to Feast 0.63.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 0.63.0
Affected Products: 1

HarborGuard Analysis

Synopsis

An unsafe deserialization vulnerability in Feast (the open-source feature store), present in versions before 0.63.0, allows an unauthenticated remote attacker to execute arbitrary operating system commands on the registry server. The flaw is reached over the network with no credentials required: the registry server decodes and deserializes a user-supplied field via dill.loads() before performing any authorization check, meaning a crafted gRPC request is all that is needed. Successful exploitation gives the attacker full remote code execution as the Feast service account, with high-confidence impact on confidentiality, integrity, and availability of the host. A patched-image rebuild at version 0.63.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56121 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Feast as a dependency. Any image whose Feast package version falls below 0.63.0 is flagged automatically at both registry scan time and CI pipeline gate.

Available

Triage

Triage is available with a CVSS v4.0 score of 9.3 (CRITICAL), and HarborGuard weights that score against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Feast 0.63.0 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The Feast registry server must be reachable over the network; an attacker sends a crafted gRPC request directly to it from any network-accessible position.
AuthenticationNot required
No credentials or account of any kind are needed; the vulnerable dill.loads() call executes before any authorization check is performed.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or operator of the affected system.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and condition-free, requiring only a single crafted gRPC request with a malicious serialized Python object in the user_defined_function.body field.

Blast Radius

Attacker executes arbitrary OS commands as the Feast service account, gaining full control of the registry server process.
All feature store data readable by the service account, including stored feature definitions and any secrets accessible from the process environment, is exposed.
The attacker can modify or delete persisted feature view registrations, corrupting the feature store state for downstream ML pipelines.
The registry server process can be crashed or held under the attacker's control, disrupting feature serving for all dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56121 activates the moment the advisory is ingested, flagging any image containing Feast below 0.63.0 across registries and CI pipelines. A rebuilt image at the fixed version 0.63.0 is available immediately for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes regression tests, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Given the unauthenticated network-exploitable nature of this vulnerability and the absence of any complexity barrier, customers who cannot immediately apply the patch should consider isolating the Feast registry server behind a network policy that restricts inbound gRPC access to trusted internal callers only, and applying egress filtering on the service account to limit the blast radius of any active exploitation.

See how HarborGuard automates this

Fix available

0.63.0

Patch commits

Patch Commit

Affected packages

feast-dev / feast
< 0.63.0 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available