CVE-2026-38428 - Vulnerability Details

- Kestra v1.3.3 and Earlier Vulnerable to SQL Injection via Unsanitized GET Parameter

Description

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

Published: 2026-05-05

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kestra versions 1.3.3 and earlier are vulnerable to SQL Injection because unfiltered user input from a GET parameter is directly concatenated into an SQL query. The missing sanitization allows attackers to inject arbitrary SQL expressions, giving them the ability to read, modify, or delete database contents. The underlying weakness corresponds to an SQL Injection flaw (CWE-89) where user‑supplied data is directly concatenated into a query without proper sanitization, leading to execution of unintended SQL.

Affected Systems

The affected product is Kestra, a data workflow orchestration platform. Versions up to and including 1.3.3 are vulnerable; newer releases may contain a fix. No other vendors or products are known to be affected at this time.

Risk and Exploitability

Based on the description, the likely attack vector is a standard HTTP GET request to an endpoint that accepts user‑controlled input. Any user able to reach the application can trigger the vulnerability remotely. The vulnerability can allow read, modification, or deletion of database contents, depending on the database privileges used by Kestra. The CVSS score of 9.8 indicates a critical level of severity, and the EPSS score of < 1% suggests a low probability of exploitation, although the lack of mitigation still warrants attention. The vulnerability is not listed in the CISA KEV catalog, yet the remote nature and high potential impact recommend swift action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:kestra:kestra::::::::
	cpe:2.3:a:kestra:kestra::::::::

No data.

Vendor Product Confidence Versions

Kestra-io

Kestra

75%

Version	Status	Scheme	Platform
`[0,1.3.3]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Kestra patch when it becomes available
Configure the web application to reject or validate all GET parameters, ensuring only expected patterns are accepted
Refactor database access code to use parameterized queries or prepared statements, removing any string concatenation of user input

Generated by OpenCVE AI on May 6, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x
https://www.link.com

History

Fri, 08 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kestra Kestra kestra
CPEs		cpe:2.3:a:kestra:kestra::::::::
Vendors & Products		Kestra Kestra kestra

Wed, 06 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Kestra v1.3.3 and Earlier Vulnerable to SQL Injection via Unsanitized GET Parameter

Wed, 06 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Title	Kestra SQL Injection via Unvalidated GET Parameter
Weaknesses	CWE-20

Wed, 06 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 05 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Kestra SQL Injection via Unvalidated GET Parameter
Weaknesses		CWE-20 CWE-89

Tue, 05 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kestra-io Kestra-io kestra
Vendors & Products		Kestra-io Kestra-io kestra

Tue, 05 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.
References		https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x https://www.link.com

Subscriptions

Kestra Kestra

Kestra-io Kestra

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-05T00:00:00.000Z

Updated: 2026-05-06T15:26:08.310Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38428

Vulnrichment

Updated: 2026-05-06T13:23:43.127Z

NVD

Status : Analyzed

Published: 2026-05-05T19:16:21.910

Modified: 2026-05-08T19:24:29.867

Link: CVE-2026-38428

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T21:30:12Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object