CVE-2026-56121 Overview
CVE-2026-56121 is an unsafe deserialization vulnerability in Feast, the open-source feature store for machine learning, affecting versions prior to 0.63.0. The flaw resides in the registry server's gRPC handler for ApplyFeatureView, which decodes the user_defined_function.body field of an OnDemandFeatureView spec from base64 and passes the result directly to dill.loads() before performing any authorization checks. Unauthenticated attackers reachable over the network can submit a crafted protobuf payload containing a malicious pickled Python object with an __reduce__ method to execute arbitrary operating system commands as the Feast service account. The issue is classified under CWE-502: Deserialization of Untrusted Data.
Critical Impact
Unauthenticated remote code execution on the Feast registry server, leading to full compromise of the feature store and any credentials or ML pipelines accessible to the service account.
Affected Products
- Feast (feast-dev/feast) versions prior to 0.63.0
- Deployments exposing the Feast registry gRPC server to untrusted networks
- ML platforms and pipelines that rely on Feast for feature serving
Discovery Timeline
- 2026-06-24 - CVE-2026-56121 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-56121
Vulnerability Analysis
Feast exposes a gRPC registry service that accepts feature view definitions from clients via the ApplyFeatureView RPC. When a client submits an OnDemandFeatureView, the registry reconstructs the Python user-defined function (UDF) attached to the spec by decoding user_defined_function.body and invoking dill.loads(). Because dill extends pickle, deserialization can trigger arbitrary callables specified through the __reduce__ protocol. The registry performed this deserialization before authorization, so any attacker who could reach the gRPC endpoint could execute code in the registry process. Successful exploitation yields code execution as the Feast service account, exposing offline store credentials, online store secrets, and downstream ML infrastructure.
Root Cause
The root cause is direct invocation of an unsafe deserializer (dill.loads) on attacker-controlled bytes inside from_proto on OnDemandFeatureView. Authorization checks were also enforced after the UDF was materialized, so untrusted payloads were parsed before any identity verification.
Attack Vector
An attacker sends a gRPC ApplyFeatureView request to the Feast registry containing an OnDemandFeatureView whose user_defined_function.body is a base64-encoded pickle stream. The malicious object's __reduce__ method returns a tuple such as (os.system, ("<command>",)), which dill evaluates during deserialization. No credentials, user interaction, or local access are required.
# Source: https://github.com/feast-dev/feast/commit/835cda8e2c1359f1f496ad72701dbd6a73bdb25a
# Patch in sdk/python/feast/feature_view.py
@classmethod
def from_proto(
cls, feature_view_proto: FeatureViewProto, skip_udf: bool = False
) -> "FeatureView":
return cls._from_proto_internal(feature_view_proto, seen={}, skip_udf=skip_udf)
@classmethod
def _from_proto_internal(
cls,
feature_view_proto: FeatureViewProto,
seen: Dict[str, Union[None, "FeatureView"]],
skip_udf: bool = False,
) -> "FeatureView":
"""
Creates a feature view from a protobuf representation of a feature view.
The patch introduces a skip_udf parameter so the registry can parse feature view protobufs without invoking dill.loads() on untrusted UDF bodies. A companion change in on_demand_feature_view.py makes feature_transformation optional, allowing the registry to defer or omit UDF materialization entirely.
Detection Methods for CVE-2026-56121
Indicators of Compromise
- Unexpected child processes spawned by the Feast registry process, such as sh, bash, python, curl, or wget.
- Outbound network connections from the Feast registry host to unknown external IPs shortly after ApplyFeatureView RPC traffic.
- gRPC requests to feast.registry.RegistryServer/ApplyFeatureView containing oversized or anomalous user_defined_function.body fields.
- New cron jobs, SSH keys, or shell history entries created under the Feast service account.
Detection Strategies
- Inspect gRPC traffic to the Feast registry and flag ApplyFeatureView calls from unauthenticated or unexpected source addresses.
- Monitor the Feast registry process tree for execution of shell utilities or interpreters that are not part of normal feature view application.
- Correlate registry log entries showing OnDemandFeatureView materialization with concurrent process or network anomalies.
Monitoring Recommendations
- Forward Feast registry application logs and host audit logs to a centralized analytics platform for retroactive hunting.
- Enable Linux audit rules (execve, connect) on hosts running the Feast registry to capture command execution and outbound connections.
- Alert on any modification to Python site-packages or registry configuration files outside of approved deployment windows.
How to Mitigate CVE-2026-56121
Immediate Actions Required
- Upgrade Feast to version 0.63.0 or later on all registry servers and clients.
- Restrict network access to the Feast registry gRPC port using firewalls, security groups, or service mesh policies so only trusted clients can connect.
- Rotate any credentials, tokens, or cloud keys accessible to the Feast service account if the registry was reachable from untrusted networks.
- Audit recent ApplyFeatureView activity and registry process behavior for signs of exploitation.
Patch Information
The fix is delivered in commit 835cda8 and included in the Feast v0.63.0 release. Additional analysis is available in the VulnCheck advisory and the Huntr bounty report.
Workarounds
- Place the Feast registry behind an authenticating reverse proxy or service mesh that enforces mutual TLS before requests reach the gRPC handler.
- Disable or block the ApplyFeatureView RPC for clients that do not require write access to the registry.
- Run the Feast registry under a dedicated, least-privileged service account with no access to production secrets or cloud credentials.
# Upgrade Feast to a patched release
pip install --upgrade 'feast>=0.63.0'
# Verify the installed version
python -c "import feast; print(feast.__version__)"
# Example firewall rule restricting registry gRPC access (port 6570) to a trusted CIDR
iptables -A INPUT -p tcp --dport 6570 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6570 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

