cbcvebase.

Kestra-Io Kestra vulnerabilities

10 known vulnerabilities affecting kestra-io/kestra.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH3MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-49869P1CRITICALCVSS 10.0fixed in 1.0.45v>= 1.1.0, < 1.3.212026-06-26
CVE-2026-49869 [CRITICAL] CWE-78 CVE-2026-49869: Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, Authentic Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypa
nvd
CVE-2026-53576P2CRITICALCVSS 10.0fixed in 1.0.45v>= 1.1.0, < 1.3.212026-06-26
CVE-2026-53576 [CRITICAL] CWE-94 CVE-2026-53576: Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authe Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresses its resources by URL path segments that the c
nvd
CVE-2026-55069P2HIGHCVSS 8.7fixed in 1.3.242026-06-26
CVE-2026-55069 [HIGH] CWE-916 CVE-2026-55069: Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability e Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. I
nvd
CVE-2026-34612P3CRITICALCVSS 9.0fixed in 1.3.72026-04-03
CVE-2026-34612 [CRITICAL] CWE-89 CVE-2026-34612: Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (defau Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigge
nvd
CVE-2026-45807P3HIGHCVSS 7.7fixed in 1.0.43v>= 1.1.0, < 1.3.192026-06-26
CVE-2026-45807 [HIGH] CWE-22 CVE-2026-45807: Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several K Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .
nvd
CVE-2026-49984P3HIGHCVSS 7.7fixed in 1.0.45v>= 1.1.0, < 1.3.232026-06-26
CVE-2026-49984 [HIGH] CWE-22 CVE-2026-49984: Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past the guard using backslashes (..\..\..\); the guard sees
nvd
CVE-2026-53577P3MEDIUMCVSS 6.5fixed in 1.0.45v>= 1.1.0, < 1.3.212026-06-26
CVE-2026-53577 [MEDIUM] CWE-863 CVE-2026-53577: Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previ Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-le
nvd
CVE-2026-48129P3MEDIUMCVSS 6.5fixed in 1.0.43v>= 1.1.0, < 1.1.19+2 more2026-06-19
CVE-2026-48129 [MEDIUM] CWE-22 CVE-2026-48129: Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1 Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or o
nvd
CVE-2026-29082P4MEDIUMCVSS 5.4≤ 1.3.32026-03-06
CVE-2026-29082 [MEDIUM] CWE-79 CVE-2026-29082: Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execut Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there are no publicly available patches.
nvd
CVE-2025-53543P4MEDIUMCVSS 4.2fixed in 0.22.02025-07-07
CVE-2025-53543 [MEDIUM] CWE-79 CVE-2025-53543: Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is v Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0.
nvd
Kestra-Io Kestra vulnerabilities | cvebase