eastbaycyber

CVE-2026-56121: Critical Remote Code Execution in Feast

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-24
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-56121
CVSS score 9.8 Critical
Attack vector Network
Auth required None, based on NVD description stating unauthenticated or unauthorized attackers may exploit it
Patch status Fixed in Feast 0.63.0

TL;DR - Feast before 0.63.0 is vulnerable to critical gRPC-based RCE. - Exposed registry servers should be upgraded to 0.63.0 immediately. - No confirmed in-the-wild exploitation is known, but defender urgency is high.

Vulnerability at a Glance

CVE-2026-56121 is a critical remote code execution vulnerability in Feast, the open-source feature store maintained in the feast-dev/feast repository. According to the NVD description, the flaw exists because Feast decodes attacker-controlled data and passes it to Python dill.loads() in the registry server gRPC path before authorization checks occur. That combination makes this a particularly dangerous issue: the exploit path is network-reachable, requires no user interaction, and may not require valid credentials if the target gRPC endpoint is reachable.

The affected version range is clearly stated as Feast before 0.63.0, and the fixed version is Feast 0.63.0. If you are running any release earlier than 0.63.0, you should treat the instance as vulnerable until proven otherwise. Because the vulnerable behavior occurs in a server-side deserialization path, internet exposure is not required for risk to be serious. Internal exposure to shared engineering, MLOps, or platform networks is enough to justify expedited response.

What Is This Vulnerability?

At a high level, this is a CWE-502 Deserialization of Untrusted Data issue. The NVD states that an attacker can send a crafted gRPC request to the Feast registry server, place malicious serialized content in the user_defined_function.body field of an OnDemandFeatureView specification, and trigger execution when the application base64-decodes the field and passes it to dill.loads(). In Python ecosystems, deserializers such as pickle and dill are unsafe when pointed at attacker-controlled data because object reconstruction can invoke attacker-defined behavior.

The detail that matters most to defenders is not just that deserialization is unsafe, but that it occurs before authorization checks. That means this is not merely a privilege escalation issue for already-authenticated users. Based on the NVD wording, an unauthenticated or unauthorized attacker may be able to achieve remote code execution as the Feast service account. In practice, that turns any reachable vulnerable registry server into a high-priority containment target.

Technical Notes

The vulnerable flow, as described by NVD, is effectively:

  1. Receive gRPC input containing an OnDemandFeatureView spec.
  2. Read user_defined_function.body.
  3. Base64-decode the field.
  4. Pass the decoded bytes to dill.loads().
  5. Only later perform authorization checks.

A simplified illustration of the risky pattern looks like this:

import base64
import dill

def process_request(spec):
    udf_body = spec.user_defined_function.body
    raw = base64.b64decode(udf_body)
    obj = dill.loads(raw)  # unsafe if attacker-controlled
    authorize_request(spec.actor)  # too late if code already ran
    return obj

The technical impact is arbitrary code execution as the account running the Feast service. That may expose API tokens, database credentials, cloud metadata, registry data, feature definitions, and whatever backing infrastructure the service can reach.

AnalystImpact · assess the risk

Who Is Affected?

The vulnerable range is explicitly stated as Feast versions before 0.63.0. The fixed release is Feast 0.63.0. If your environment uses Feast and is pinned to any version lower than 0.63.0, it falls into the affected range based on the available primary-source data. There is no narrower safe subset documented in the research note, so defenders should not assume that only specific minor releases are affected.

This matters operationally because Feast deployments vary. Some run in development clusters, some in internal platform environments, and some in production ML serving or feature infrastructure. Even if the registry server is not directly internet-accessible, many organizations expose it to broad internal networks, CI/CD runners, data-science workstations, or service meshes. In those topologies, a low-friction pre-auth RCE can become a lateral movement bridge into higher-value ML and data systems.

A quick validation checklist for affected exposure:

Check Why it matters
Feast version is lower than 0.63.0 Confirms vulnerable software range
Registry server gRPC interface is reachable over network Confirms exploit path exposure
Service account has access to secrets or data stores Increases post-exploitation impact
Environment allows user-submitted feature definitions Raises likelihood of attacker-controlled inputs

If you do not yet know your exact deployed version, assume exposure until you inventory it. Unknown version state should be treated as operational risk, especially for internet-facing or multi-tenant internal services.

CVSS Score Breakdown

CVE-2026-56121 carries a CVSS v3.1 score of 9.8 Critical with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This is one of the clearest possible signals that the issue deserves immediate patch prioritization. The vector indicates network reachability, low attack complexity, no privileges required, no user interaction, and full impact across confidentiality, integrity, and availability.

For defenders, the score is useful not because it replaces asset context, but because it aligns with the technical facts. This is a server-side pre-auth or effectively pre-auth code execution path on a platform component often connected to data and model infrastructure. High confidentiality impact means secrets and data are at risk; high integrity impact means attackers may alter feature definitions or operational logic; high availability impact means the service or underlying host can be disrupted.

Technical Notes

CVSS vector interpretation for this case:

AV:N  = exploitable over a network
AC:L  = no unusual conditions required
PR:N  = no privileges required
UI:N  = no user action required
S:U   = impact remains within the vulnerable component's security scope
C:H   = high confidentiality impact
I:H   = high integrity impact
A:H   = high availability impact

The service-account execution context is especially important. If that account is overprivileged, the real-world blast radius may exceed what CVSS alone suggests.

Exploitation Status

At the time of writing, exploitation in the wild is not confirmed in the provided primary-source data. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no CISA-backed evidence of active exploitation available here. Defenders should not read absence from KEV as safety. KEV is a lagging confirmation source, not a guarantee that opportunistic scanning or private exploitation is absent.

As for proof-of-concept status, the safest statement is: a standalone public exploit repository is not confirmed from the gathered sources, but public advisories and writeups exist, and the NVD description is explicit enough that exploit development appears technically straightforward. In other words, there is no verified public PoC repo cited here, but defenders should assume one could emerge quickly because the vulnerable field, function, and execution sequence are already described.

Operationally, the right message is: not confirmed exploited in the wild, no verified standalone public PoC from current primary-source review, but high PoC likelihood. That should still trigger urgent patching because critical pre-auth deserialization bugs tend to attract rapid attacker attention once disclosure lands.

What Defenders Should Do Next

First, inventory all Feast deployments and identify any version before 0.63.0. Second, determine whether the registry server gRPC endpoint is reachable from the internet, partner networks, developer workstations, CI systems, or broad internal segments. Third, patch to 0.63.0 and confirm rollout with package, image, or runtime verification rather than change-ticket assumptions.

After patching, perform a focused compromise assessment for exposed systems. Review process telemetry, outbound network connections, access to secrets, changes to feature definitions, and service-account activity around the disclosure window. Because confirmed exploitation is not known, the response does not automatically require full incident declaration. But because the issue is a critical pre-auth RCE, any exposed and unpatched instance should be treated as a meaningful intrusion risk until assessed.

ResponderRunbook · act now

How to Detect It

Detection is challenging because the vulnerable input is embedded in gRPC traffic and the malicious bytes are base64-encoded before deserialization. If you have full application logs for registry operations, focus on requests involving OnDemandFeatureView definitions and especially any fields related to user_defined_function.body. If you have reverse-proxy, service-mesh, or gRPC access logs, look for unexpected calls to the registry server from unfamiliar clients, sudden spikes in request volume, or traffic from networks that should never manage Feast definitions.

You should also hunt for post-exploitation indicators on the Feast host or container. Because successful exploitation runs code as the Feast service account, signs may include unusual shell execution, child processes from the Feast service, outbound connections to unexpected destinations, or access to cloud metadata and secret stores shortly after registry API activity. If your logging does not currently capture enough application-level detail to inspect request fields, treat that as a visibility gap and compensate with process, network, and container telemetry.

Technical Notes

Potential log and telemetry patterns to review:

Application context clues:
- OnDemandFeatureView
- user_defined_function.body
- apply feature view
- registry server gRPC errors or deserialization exceptions

Host or container execution clues:
- parent process: feast / python
- child processes: /bin/sh, sh, bash, curl, wget, python -c

Example Splunk hunt for suspicious Feast child process execution:

index=linux OR index=edr
(process_name=python OR parent_process_name=python OR parent_process_name=feast)
(parent_process_name=feast OR process_command_line="*feast*")
(process_name=sh OR process_name=bash OR process_name=curl OR process_name=wget)
| stats count min(_time) as first_seen max(_time) as last_seen by host parent_process_name process_name process_command_line

Example Sigma-style idea for EDR/process telemetry:

title: Suspicious Child Process from Feast Service
logsource:
  category: process_creation
detection:
  selection_parent:
    ParentImage|contains:
      - "python"
      - "feast"
  selection_child:
    Image|endswith:
      - "/sh"
      - "/bash"
      - "/curl"
      - "/wget"
  condition: selection_parent and selection_child
level: high

If you can inspect gRPC metadata or decoded payload traces internally, flag requests to the registry server that include unusually large base64 blobs in user_defined_function.body, especially from clients that do not normally publish feature view definitions.

Mitigation and Patching

The primary mitigation is clear: upgrade Feast to 0.63.0 or later. Because the affected range is before 0.63.0 and the fixed version is 0.63.0, there is no reason to remain on earlier releases if you are exposed. If you operate through reproducible builds, update the dependency pin, rebuild the image, and redeploy all registry server instances. If you are unsure whether every environment uses the same Feast version, validate development, staging, and batch-processing clusters too.

While patching is underway, reduce exposure to the registry server gRPC interface. Limit access to only explicitly authorized clients and management networks. If the service is internet-accessible, remove that exposure immediately unless there is a documented business requirement and compensating controls are in place. Also review the privileges granted to the Feast service account. Even after patching, reducing service permissions lowers the impact of future code-execution bugs.

Technical Notes

For Python package-based deployments, verify and upgrade with:

python -m pip show feast
python -m pip install --upgrade "feast>=0.63.0"

If you pin exact versions in requirements:

sed -i 's/^feast==.*/feast==0.63.0/' requirements.txt
python -m pip install -r requirements.txt

For containerized environments, rebuild with an updated base image or package layer, then redeploy:

RUN python -m pip install --no-cache-dir "feast==0.63.0"

Network workaround while patching: restrict gRPC access at the load balancer, ingress, or firewall. Example with Kubernetes NetworkPolicy conceptually limiting access to trusted namespaces only:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: feast-registry-restrict
spec:
  podSelector:
    matchLabels:
      app: feast-registry
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              access: feast-admin

If you cannot patch immediately and lack confidence in network controls, defenders should assume the service is at risk if reachable. In that case, temporary shutdown of externally reachable registry endpoints may be safer than continued operation.

References

For more information on related vulnerabilities, check out our articles on what is cloud infrastructure entitlement management and what is zero trust.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-24

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.