CVE-2026-55069 | Kestra is an open-source, event-driven orchestration platfor… | CVSS 8.7 HIGH

Description

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

Metadata

CVE ID: CVE-2026-55069
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 14:33 UTC
Published: 2026-06-26 20:50 UTC
Last updated: 2026-06-26 20:50 UTC
Primary CWE: CWE-916
CWE-916: Use of Password Hash With Insufficient Computationa…
Vendor / Product: kestra-io / kestra
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
kestra-io	kestra	—	< 1.3.24

Weakness (CWE)

CWE	Source	Description
CWE-916	cna	CWE-916: Use of Password Hash With Insufficient Computational Effort

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

References (1)

https://github.com/kestra-io/kestra/security/advisories/GHSA-m727-pcjm-j28h https://github.com/kestra-io/kestra/security/advisories/GHSA-m727-pcjm-j28h