{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-56121/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-24T16:03:10.790Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-56121","@id":"https://www.cve.org/CVERecord?id=CVE-2026-56121","description":"Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands"},"products":[{"@id":"cpe:2.3:a:feast-dev:feast:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:feast-dev:feast:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 0.63.0.","timestamp":"2026-06-24T16:03:10.790Z"}]}