Kestra is an event‑driven orchestration platform that provides script execution plugins by default. In vulnerable OSS releases prior to 1.0.45 and 1.3.21, the AuthenticationFilter makes a suffix comparison on the request path to whitelist the public configuration endpoint. Because the check uses request.getPath().endsWith("/configs") rather than an exact match, any API path whose final segment is "configs" bypasses Basic Auth entirely. An unauthenticated attacker can therefore exploit this flaw to submit and run arbitrary workflows without credentials. With the default script plugins enabled, the attacker gains immediate root access inside the Kestra worker container, resulting in full remote code execution. The flaw thus allows complete control over the host system and bypasses all authentication mechanisms.

Kestra OSS released under the kestra-io:kestra vendor is affected. All versions before 1.0.45 in the 1.0 series and before 1.3.21 in the 1.3 series are vulnerable. No other vendors or product lines were identified.

The vulnerability has a CVSS score of 10, flagging it as critical. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV database, but the lack of observable exploitation does not reduce the inherent risk. The attack requires only unauthenticated HTTP access to the Kestra API, a path that ends with "/configs", making it trivially exploitable over the network. Because the flaw directly executes scripts as root inside the worker container, even a single successful request delivers remote code execution and full system compromise. Administrators should treat this as an immediate threat.