Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable, low-complexity suffix-match bypass needs no privileges or interaction; auth-filter compromise leading to root RCE in the worker crosses a security boundary, so S:C with full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
Articles & Coverage 2
AnalysisAI
Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the Kestra OSS API on a vulnerable version (below 1.0.45 / 1.3.21) and that the default-bundled script-execution plugins (plugin-script-shell, plugin-script-python, etc.) remain enabled - both of which hold in a default installation, so no authentication, user interaction, or non-default setting is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Every available signal points to top-tier, immediately actionable risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Kestra API over the network sends a crafted request to an endpoint whose path ends in 'configs', which the AuthenticationFilter wrongly treats as the public config endpoint and serves without credentials. Using this unauthenticated access the attacker creates and triggers a workflow containing a shell or Python script task, which the default-enabled plugins execute as root inside the worker container, yielding full remote code execution. … |
| Remediation | Upgrade immediately to Kestra 1.0.45 (for the 1.0.x line) or 1.3.21 (for the 1.3.x line), which replace the suffix match with a correct exact-path check; these are the vendor-released patched versions per advisory GHSA-5vc5-wxxq-3fjx (https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Kestra OSS deployments, identify running versions, and isolate critical instances from the network if immediate updates are not possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39922