Remote Code Execution via Unsafe Deserialization in gRPC Registry Server
Summary
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account. A flaw was found in Feast. This vulnerability allows unauthenticated or unauthorized attackers to achieve remote code execution. By sending a specially crafted gRPC request to the registry server, attackers can exploit an unsafe deserialization process. This enables them to execute operating system commands as the Feast service account, leading to a complete compromise of the affected system. Red Hat OpenShift AI ships Feast versions affected by CVE-2026-56121. This flaw allows remote code execution only against the Feast registry gRPC server (feast serve_registry, port 6570) when that service is running and reachable. Default OpenShift AI installations are not affected. Installing OpenShift AI deploys the Feast operator but does not create a FeatureStore instance or start a registry server. The default FeatureStore configuration runs the online feature server only (feast serve), which does not expose the vulnerable gRPC endpoint. Workbench and pipeline runtime images include Feast as a client library and do not start a registry server. Red Hat validated this by attempting exploitation against Feast 0.62.0: remote code execution succeeded only when a registry server was explicitly started; the default online-only configuration and library-only images were not exploitable. Customers who configure a FeatureStore with an explicit registry server (registry.local.server) should treat this as a critical issue and apply the fix (Feast ≥ 0.63.0) when available. Enabling authorization alone does not remediate affected versions because unsafe deserialization occurs before authorization checks. Red Hat rates this Important for OpenShift AI overall, reflecting that the vulnerable component is present but the attack surface is not exposed under default configurations. Red Hat severity: Important — CVSS 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-502. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- - Restrict network access to Feature Server / registry endpoints (NetworkPolicy, Route auth, no public exposure). - Do not expose the Feast registry gRPC port to untrusted networks; place behind OpenShift Route + platform authentication.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.