Description
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kestra's inputFiles task writes rendered file names directly to the task working directory. Prior to specific releases, the task does not sanitize or normalize path segments. An attacker that can supply untrusted execution or webhook data into an inputFiles filename can include '../' sequences, allowing them to create or overwrite files outside the intended directory.

Affected Systems

The vulnerability affects Kestra versions 1.3.18 and earlier, 1.2.18 and earlier, 1.1.18 and earlier, and 1.0.42 and earlier. The patch is available in releases 1.3.19, 1.2.19, 1.1.19, and 1.0.43.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. EPSS is not available and the vulnerability is not listed in CISA's KEV catalog. It is inferred that exploitation requires the ability to create or modify flows or webhook data that reach the Kestra instance, giving an attacker the ability to write arbitrary files on the worker filesystem. This could lead to configuration tampering, privilege escalation, or data exfiltration in a multi‑tenant deployment.

Generated by OpenCVE AI on June 19, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kestra to version 1.3.19 or newer (or 1.2.19, 1.1.19, or 1.0.43)
  • Restrict untrusted flow and webhook data from supplying path separators in inputFiles filenames
  • Validate all filenames in inputFiles to disallow '../' sequences before writing to disk

Generated by OpenCVE AI on June 19, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Kestra-io
Kestra-io kestra
Vendors & Products Kestra-io
Kestra-io kestra

Fri, 19 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
Title Kestra task inputFiles accepts traversal filenames for worker file writes
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Kestra-io Kestra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T20:16:24.043Z

Reserved: 2026-05-20T18:46:58.292Z

Link: CVE-2026-48129

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:00:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')