Exploit for CVE-2026-56121

Name: Exploit for CVE-2026-56121
Rating: 5 (11 reviews)
2026-06-30 | CVSS 9.8
## https://sploitus.com/exploit?id=FBFF27F7-8ED1-5776-9326-EF2D07BF0586
# CVE-2026-56121 — Feast Unauthenticated RCE via gRPC Registry Deserialization

> The **Feast ` function of an `OnDemandFeatureView` **as soon as a spec arrives — before any
> authorization check**. The shipped config is `auth: no_auth`, so any client that
> can reach the registry port (default `6570`) gets **unauthenticated remote code
> execution** by sending one `ApplyFeatureView` request with a malicious pickle.

| | |
|---|---|
| **CVE** | CVE-2026-56121 |
| **Affected** | Feast `
```

Observed:

```
[*] sending ApplyFeatureView with a 124-byte malicious pickle in user_defined_function.body
[*] RPC status: UNKNOWN - Exception calling application: 0 is not a module, class, method, or function.
[+] dill.loads executed the payload server-side during from_proto.
```

The RPC ultimately errors (the unpickled object is no longer a callable UDF), but
the command **already ran** during `dill.loads()` — `cat /tmp/feast_pwned` returns
live `id`/`uname` output, proving execution rather than echo.

## Impact

Anyone able to reach the Feast registry gRPC port executes arbitrary OS commands as
the registry service account — full compromise of the feature store and the offline/
online stores, registries, and cloud credentials it is wired to. Feast registries are
frequently exposed inside ML platforms for SDK clients to call.

## Remediation

* Upgrade to **Feast ≥ 0.63.0**, which adds a `skip_udf` path so the registry server
  no longer deserializes the UDF body of incoming specs.
* Defense in depth: enable `auth` (oidc/kubernetes) and never expose the registry
  port to untrusted networks. Note that auth alone is **not** sufficient on `< 0.63.0`,
  because the deserialization precedes the authorization check.

## Detection

Alert on `ApplyFeatureView` / `ApplyMaterialization` RPCs to the registry whose
`OnDemandFeatureView` `user_defined_function.body` is not produced by a trusted
client, and on registry processes spawning shells.

See [`ANALYSIS.md`](ANALYSIS.md) for the proto path, the deser-before-auth ordering,
and the patch.

---

* Author: **Caio Fabrício** — [github.com/BiiTts](https://github.com/BiiTts)
* Vulnerability credit belongs to the original reporter / vendor advisory; this repo
  is an independent reproduction for defensive and educational use. For authorized
  security testing only.