Skip to main content

Kestra CVE-2026-55069

| EUVDEUVD-2026-39917 HIGH
Use of Password Hash With Insufficient Computational Effort (CWE-916)
2026-06-26 GitHub_M
8.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

AC:H because the attack depends on prior PostgreSQL read access plus offline cracking; S:C with C:H/I:H reflects the pivot to K8s ServiceAccount token and Secrets; A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 23:02 EUVD
Analysis Generated
Jun 26, 2026 - 21:51 vuln.today
CVE Published
Jun 26, 2026 - 20:50 cve.org
HIGH 8.7

DescriptionCVE.org

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

AnalysisAI

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain read access to PostgreSQL backend
Delivery
Extract admin SHA-512 password hash
Exploit
Crack hash offline using fast SHA-512
Execution
Authenticate to Kestra as administrator
Persist
Read K8s ServiceAccount token and Secrets
Impact
Escalate privileges across the cluster

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker first obtains READ access to the PostgreSQL database backing Kestra in order to retrieve the stored administrator SHA-512 password hash - this is the explicit, concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and the headline CVSS of 8.7 likely overstates standalone risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already compromised a read-only path to Kestra's PostgreSQL backend (e.g., via a misconfigured database account, a backup, or an adjacent service) dumps the admin credential and runs an offline GPU cracking session against the fast SHA-512 hash. Once the password is recovered they authenticate to Kestra as administrator and, in a Kubernetes deployment, read the pod's ServiceAccount token and all accessible K8s Secrets to pivot deeper into the cluster. …
Remediation Vendor-released patch: 1.3.24 - upgrade Kestra to 1.3.24 or later, which addresses the weak password-hashing scheme, and rotate the administrator password after upgrading so any previously stored fast-hash value is replaced. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit PostgreSQL database access logs and identify all principals with read access to the Kestra instance; document when admin credentials were last changed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

CVE-2026-31892 HIGH POC
8.9 Mar 11

Authorization bypass in Argo Workflows (2.9.0 through 4.0.1 and 3.7.x before 3.7.11) lets any user permitted to submit W

CVE-2026-23742 HIGH POC
8.8 Jan 16

Skipper versions before 0.23.0 allow authenticated users with Ingress resource creation privileges to execute arbitrary

CVE-2026-25538 HIGH POC
8.8 Feb 04

Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]

CVE-2026-22771 HIGH POC
8.8 Jan 12

Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attacker

Share

CVE-2026-55069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy