What is the CVSS score of CVE-2026-38428?

CVE-2026-38428 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Kestra are affected by CVE-2026-38428?

Kestra workflow orchestration platform versions 1.3.3 and earlier contain a critical SQL injection vulnerability (CVSS 9.8) allowing unauthenticated remote attackers to execute arbitrary database…

Kestra CVE-2026-38428

EUVD-2026-27426 CRITICAL

SQL Injection (CWE-89)

2026-05-05 mitre

GHSA-9jrq-5wf3-m9fp

SQLi

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 06, 2026 - 16:22 vuln.today

CVSS changed

May 06, 2026 - 16:22 NVD

9.8 (CRITICAL)

DescriptionNVD

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

AnalysisAI

SQL injection in Kestra workflow orchestration platform versions 1.3.3 and earlier enables remote unauthenticated attackers to execute arbitrary SQL commands and fully compromise the application database. The vulnerability stems from unsanitized GET parameters directly concatenated into SQL queries, allowing complete data exfiltration, modification, and potential database server compromise. …

RemediationAI

Within 24 hours: Identify all instances of Kestra version 1.3.3 and earlier in your environment using asset inventory and configuration management tools; disable or isolate affected instances from production networks if patch unavailable. Within 7 days: Contact Kestra vendor for available patch version and apply to all affected systems; if patch released, deploy to version 1.3.4 or later as documented in vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-38428 vulnerability details – vuln.today

Back

Kestra CVE-2026-38428

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code