Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
The AuthenticationFilter authentication filter checks the request path using the endsWith('/configs') method, i.e., suffix matching instead of exact path matching. This means any API endpoint whose last segment is 'configs' completely bypasses authentication. An attacker can thus direct a request to an appropriately constructed path, gaining access without credentials. Since Kestra by default provides plugins for executing scripts (plugin-script-shell, plugin-script-python, and others), arbitrary code execution in the worker container context is possible.
An unauthenticated remote attacker can create and execute arbitrary workflows, leading to full RCE with root privileges inside the Kestra worker container, and consequently resulting in environment takeover, data exfiltration, and lateral movement capabilities.
Kestra OSS should be urgently updated to version 1.0.45 or 1.3.21 (depending on the branch in use). Until the patch is deployed, consider restricting network access to the Kestra instance to trusted IP addresses only and disabling script plugins if they are not essential.
Kestra OSS in versions prior to 1.0.45 and prior to 1.3.21
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HKestra
APPKestra< 1.0.451.1.0 – 1.3.21 (bez)
Related vulnerabilities
Kestra: Pominięcie uwierzytelnienia REST API prowadzące do RCE jako root
SQL Injection w Kestra — wstrzykiwanie zapytań przez parametr GET
SQL Injection prowadzący do RCE w platformie Kestra (endpoint wyszukiwania flows)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in t...
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API ...