Skip to main content

Kestra CVE-2026-53577

| EUVDEUVD-2026-39918 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-26 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible REST endpoint requiring only a valid authenticated session (PR:L); purely a read bypass with no write or availability impact whatsoever.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 23:02 EUVD
Analysis Generated
Jun 26, 2026 - 21:50 vuln.today

DescriptionCVE.org

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.

AnalysisAI

Unauthorized file read in Kestra's execution preview API allows any authenticated tenant user to access output files from executions they do not own, bypassing both execution-level and namespace-level isolation. Affected versions span the 1.0.x branch prior to 1.0.45 and the 1.3.x branch prior to 1.3.21. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Kestra tenant credentials
Delivery
Enumerate or guess target execution IDs via API or timing
Exploit
Craft GET request to /api/v1/{tenant}/executions/{targetId}/file/preview
Execution
Receive and exfiltrate execution output files
Impact
Extract sensitive data from pipeline artifacts

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session within the same Kestra tenant (PR:L per CVSS vector); unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N scores 6.5 (Medium), reflecting a purely network-reachable, low-complexity flaw requiring only a valid authenticated session (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Kestra user with a valid low-privilege account within a shared tenant issues GET requests to /api/v1/{tenant}/executions/{executionId}/file/preview, substituting execution IDs belonging to other users or namespaces. Because execution IDs are often sequential or UUID-based and may be discoverable through API listing endpoints, the attacker enumerates IDs and retrieves output files - potentially exposing database credentials, API keys, or sensitive business data produced by other teams' pipelines. …
Remediation Upgrade to Kestra 1.0.45 (for deployments on the 1.0.x line) or Kestra 1.3.21 (for deployments on the 1.3.x line), as confirmed by the GitHub Security Advisory GHSA-r6v3-xxwj-9h42 at https://github.com/kestra-io/kestra/security/advisories/GHSA-r6v3-xxwj-9h42. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy