CRITICAL🇵🇱 Wersja polska

CVE-2026-34612

CVSS 9.9v3.1pub. 2026-04-03upd. 2026-04-13

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

🤖 AI Analysis
How it works

The vulnerability is located in the GET /api/v1/main/flows/search endpoint and consists of improper handling of input data passed to an SQL query (CWE-89). The attacker injects a malicious SQL payload, which is then executed by PostgreSQL using the COPY ... TO PROGRAM ... mechanism. This mechanism allows PostgreSQL to execute arbitrary operating system commands on the host where the database runs. In the default docker-compose deployment, the exploit requires only an active authenticated user session.

Impact

An attacker with access to an authenticated session can execute arbitrary operating system commands on the host server, resulting in complete system compromise, potential data leakage, and violation of integrity and availability of the environment.

Mitigation & patch

Kestra should be updated to version 1.3.7, in which the issue has been fixed. The fix is available in the GitHub repository (commit 3926762795df8ad3e03924b370c51832ed3a21d3) and in the v1.3.7 release.

Who is affected

Kestra in versions prior to 1.3.7, in the default docker-compose deployment with PostgreSQL database

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Kestra

    APP
    Kestra
    < 1.3.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLiContainer
CWE
References

Related vulnerabilities

CVE-2026-53576CRITICAL10.0PL ✓ten sam produkt

Kestra: Pominięcie uwierzytelnienia REST API prowadzące do RCE jako root

CVE-2026-49869CRITICAL10.0PL ✓ten sam produkt

Kestra: Auth Bypass umożliwiający nieuwierzytelniony RCE jako root

CVE-2026-38428CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Kestra — wstrzykiwanie zapytań przez parametr GET

CVE-2026-55069HIGH8.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in t...

CVE-2026-45807HIGH7.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API ...