CRITICAL🇵🇱 Wersja polska

CVE-2026-49869

CVSS 10.0v3.1pub. 2026-06-26upd. 2026-07-01

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.

🤖 AI Analysis
How it works

The AuthenticationFilter authentication filter checks the request path using the endsWith('/configs') method, i.e., suffix matching instead of exact path matching. This means any API endpoint whose last segment is 'configs' completely bypasses authentication. An attacker can thus direct a request to an appropriately constructed path, gaining access without credentials. Since Kestra by default provides plugins for executing scripts (plugin-script-shell, plugin-script-python, and others), arbitrary code execution in the worker container context is possible.

Impact

An unauthenticated remote attacker can create and execute arbitrary workflows, leading to full RCE with root privileges inside the Kestra worker container, and consequently resulting in environment takeover, data exfiltration, and lateral movement capabilities.

Mitigation & patch

Kestra OSS should be urgently updated to version 1.0.45 or 1.3.21 (depending on the branch in use). Until the patch is deployed, consider restricting network access to the Kestra instance to trusted IP addresses only and disabling script plugins if they are not essential.

Who is affected

Kestra OSS in versions prior to 1.0.45 and prior to 1.3.21

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Kestra

    APP
    Kestra
    < 1.0.451.1.0 – 1.3.21 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEContainerCommand InjectionAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-53576CRITICAL10.0PL ✓ten sam produkt

Kestra: Pominięcie uwierzytelnienia REST API prowadzące do RCE jako root

CVE-2026-38428CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Kestra — wstrzykiwanie zapytań przez parametr GET

CVE-2026-34612CRITICAL9.9PL ✓ten sam produkt

SQL Injection prowadzący do RCE w platformie Kestra (endpoint wyszukiwania flows)

CVE-2026-55069HIGH8.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in t...

CVE-2026-45807HIGH7.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API ...