Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.
Published: 2026-06-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Kestra stores BasicAuth passwords using unsalted SHA‑512, a attackers who can read the PostgreSQL database to perform offline brute‑force attacks. Recovering the administrator password gives attackers full control of the orchestration platform, and in Kubernetes environments can further enable reading of ServiceAccount tokens and all cluster secrets, effectively escalating privileges.

Affected Systems

The issue affects Kestra (kestra‑io) open‑source workflow orchestration platform versions prior to 1.3.24, where the BasicAuth component stores passwords as SHA‑512. The fix is delivered in Kestra 1.3.24 and later releases.

Risk and Exploitability

The CVSS score is 8.7, indicating high risk, and no EPSS data is available; the vulnerability is not listed in the CISA KEV catalog. The attack requires read access to the PostgreSQL database, which may result from compromised services or misconfigured permissions. Once the password is cracked, the attacker can hijack administrative functions and, in Kubernetes deployments, obtain ServiceAccount tokens and all secrets, leading to vertical privilege escalation.

Generated by OpenCVE AI on June 26, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kestra to version 1.3.24 or later
  • Restrict read access to the PostgreSQL database to trusted administrators only
  • Rotate the administrator password and any service account tokens after upgrading

Generated by OpenCVE AI on June 26, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.
Title Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack
Weaknesses CWE-916
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:50:09.954Z

Reserved: 2026-06-16T14:33:35.710Z

Link: CVE-2026-55069

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses
  • CWE-916

    Use of Password Hash With Insufficient Computational Effort