Description
Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kestra versions 1.3.3 and earlier are vulnerable to SQL Injection because unfiltered user input from a GET parameter is directly concatenated into an SQL query. The missing sanitization allows attackers to inject arbitrary SQL expressions, giving them the ability to read, modify, or delete database contents. The underlying weakness corresponds to an input validation error where user‑supplied data is not properly sanitized, leading to the execution of unintended SQL.

Affected Systems

The affected product is Kestra, a data workflow orchestration platform. Versions up to and including 1.3.3 are vulnerable; newer releases may contain a fix. No other vendors or products are known to be affected at this time.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is a standard HTTP GET request to an endpoint that accepts user-controlled input. This means any user who can reach the application endpoint can trigger the vulnerability remotely. The vulnerability can lead from data disclosure to full database compromise, depending on the database privileges used by Kestra. The EPSS score is not available, but the lack of mitigation makes the potential for exploitation high. The vulnerability is not listed in the CISA KEV catalog, yet the remote nature and high impact warrant prompt attention.

Generated by OpenCVE AI on May 5, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kestra patch when it becomes available
  • Configure the web application to reject or validate all GET parameters, ensuring only expected patterns are accepted
  • Refactor database access code to use parameterized queries or prepared statements, removing any string concatenation of user input

Generated by OpenCVE AI on May 5, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title Kestra SQL Injection via Unvalidated GET Parameter
Weaknesses CWE-20
CWE-89

Tue, 05 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kestra-io
Kestra-io kestra
Vendors & Products Kestra-io
Kestra-io kestra

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.
References

Subscriptions

Kestra-io Kestra
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T18:10:56.956Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T19:16:21.910

Modified: 2026-05-05T19:16:21.910

Link: CVE-2026-38428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:00:13Z

Weaknesses