cbcvebase.
CVE-2026-34612
published 2026-04-03

CVE-2026-34612: Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection…

PriorityP356critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.66%
46.7th percentile
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
kestra-iokestra< 1.3.71.3.7
kestrakestra< 1.3.71.3.7
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.