Description
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.
Published: 2026-04-03
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Kestra allows a malicious attacker who is already authenticated to inject an arbitrary SQL payload into the "GET /api/v1/main/flows/search" endpoint. The backend executes this payload via PostgreSQL's COPY … TO PROGRAM clause, which runs arbitrary OS commands on the host. The result is full remote code execution, giving an attacker the same privileges as the process running the Kestra service.

Affected Systems

The vulnerability exists in all releases of the Kestra event‑driven orchestration platform prior to version 1.3.7, specifically the default Docker‑compose deployment. The affected product is Kestra.io’s Kestra server. Upgrading to v1.3.7 or later eliminates the flaw.

Risk and Exploitability

With a CVSS score of 10, the issue is considered critical. Exploitation requires a legitimate authentication token and crafted URL, making it an authenticated remote exploit. The EPSS score is below 1 %, indicating low observed exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the high severity combined with the possibility of arbitrary code execution warrants urgent action.

Generated by OpenCVE AI on April 13, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Kestra v1.3.7 or later
  • Verify that the "GET /api/v1/main/flows/search" endpoint is still accessible only to authorized users
  • Check PostgreSQL configuration to ensure COPY … TO PROGRAM is not exploitable if upgrade is delayed
  • Monitor system logs for suspicious SQL execution attempts

Generated by OpenCVE AI on April 13, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Kestra
Kestra kestra
CPEs cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*
Vendors & Products Kestra
Kestra kestra

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Kestra-io
Kestra-io kestra
Vendors & Products Kestra-io
Kestra-io kestra

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.
Title Kestra: Remote Code Execution via SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Kestra Kestra
Kestra-io Kestra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T16:10:10.415Z

Reserved: 2026-03-30T17:15:52.501Z

Link: CVE-2026-34612

cve-icon Vulnrichment

Updated: 2026-04-06T16:10:00.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:04.587

Modified: 2026-04-13T17:36:59.393

Link: CVE-2026-34612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:33Z

Weaknesses