CVE-2026-45807 | Kestra is an open-source, event-driven orchestration platfor… | CVSS 7.7 HIGH

Description

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.). This vulnerability is fixed in 1.0.43 and 1.3.19.

Metadata

CVE ID: CVE-2026-45807
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-13 08:19 UTC
Published: 2026-06-26 20:57 UTC
Last updated: 2026-06-26 20:57 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: kestra-io / kestra
Sources: cve.org · NVD

Severity & Metrics

7.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
kestra-io	kestra	—	< 1.0.43, >= 1.1.0, < 1.3.19

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References (1)

https://github.com/kestra-io/kestra/security/advisories/GHSA-3529-p4wf-xp79 https://github.com/kestra-io/kestra/security/advisories/GHSA-3529-p4wf-xp79