CVE-2026-49869 | Kestra is an open-source, event-driven orchestration platfor… | CVSS 10.0 CRITICAL

Description

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.

Metadata

CVE ID: CVE-2026-49869
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-01 22:03 UTC
Published: 2026-06-26 20:58 UTC
Last updated: 2026-06-26 20:58 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: kestra-io / kestra
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
kestra-io	kestra	—	< 1.0.45, >= 1.1.0, < 1.3.21

Weakness (CWE)

CWE	Source	Description
CWE-184	cna	CWE-184: Incomplete List of Disallowed Inputs
CWE-287	cna	CWE-287: Improper Authentication
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx