Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Kestra’s previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) allows any authenticated user to read output files from executions belonging to other users within the same tenant. Because the access control check is bypassed, the vulnerability results in a category 3 information disclosure that can expose sensitive data stored in those files. The weakness is an Insecure Direct Object Reference (CWE‑863).

Affected Systems

The affected product is Kestra, an open‑source event‑driven orchestration platform available from kestra‑io. Versions prior to 1.0.45 in the main branch and prior to 1.3.21 in the 1.3 branch expose the CVE. All other releases, including those from earlier versions or later patched releases, are not affected.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5. The EPSS score is not available and the CVE is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who belongs to the same tenant as the target execution; no additional privileges or remote code execution are needed. Once authenticated, an attacker can retrieve any file accessible via the preview endpoint, resulting in potential confidentiality compromise for the tenant’s data.

Generated by OpenCVE AI on June 26, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Kestra release (v1.0.45 or newer for the 1.x line, or v1.3.21 or newer for the 1.3 line) to eliminate the IDOR bug.
  • Re‑evaluate and restrict the previewFileFromExecution endpoint so that only privileged roles (e.g., administrators or orchestrator operators) can access it, and temporarily block or isolate accounts exhibiting suspicious behavior until the patch is deployed.
  • Temporarily disable the previewFileFromExecution endpoint for non‑administrative users or isolate suspicious accounts until the patch is applied to reduce exposure while the fix is otherwise pending.

Generated by OpenCVE AI on June 26, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.
Title Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:53:29.778Z

Reserved: 2026-06-09T19:11:53.484Z

Link: CVE-2026-53577

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:09Z

Weaknesses