Skip to main content

Kestra EUVDEUVD-2026-27426

| CVE-2026-38428 CRITICAL
SQL Injection (CWE-89)
2026-05-05 mitre GHSA-9jrq-5wf3-m9fp
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 06, 2026 - 16:22 vuln.today
CVSS changed
May 06, 2026 - 16:22 NVD
9.8 (CRITICAL)

DescriptionCVE.org

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

AnalysisAI

SQL injection in Kestra workflow orchestration platform versions 1.3.3 and earlier enables remote unauthenticated attackers to execute arbitrary SQL commands and fully compromise the application database. The vulnerability stems from unsanitized GET parameters directly concatenated into SQL queries, allowing complete data exfiltration, modification, and potential database server compromise. Despite critical CVSS 9.8 severity, EPSS score of 0.01% (2nd percentile) suggests minimal observed exploitation attempts, though GitHub security advisory publication indicates vendor acknowledgment and likely patch availability.

Technical ContextAI

Kestra is an open-source workflow orchestration and scheduling platform. This vulnerability is a classic CWE-89 SQL Injection flaw occurring when user-supplied input from HTTP GET parameters is concatenated directly into SQL query strings without parameterized queries or input validation. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates the vulnerable endpoint is network-accessible, requires no authentication, and has low attack complexity. The affected component appears to be Kestra's web API layer that handles workflow queries or administrative functions. SQL injection at this level can bypass all application-layer access controls since the attacker is manipulating database operations directly. The presence of a GitHub Security Advisory (GHSA-365w-2m69-mp9x) suggests the vulnerability was responsibly disclosed to the Kestra project maintainers.

RemediationAI

Upgrade to Kestra version 1.3.4 or later if available, verifying the fix version through the GitHub security advisory at https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x which should specify the exact patched release. If immediate patching is not feasible, implement network-level access controls to restrict Kestra API endpoints to trusted IP ranges only, reducing attack surface from internet-wide to internal networks, though this does not eliminate risk from authenticated internal users or compromised systems. Web application firewall (WAF) rules detecting SQL injection patterns in GET parameters can provide defense-in-depth, but may cause false positives on legitimate queries containing SQL-like syntax and should be tested thoroughly before production deployment. Review application logs for suspicious GET parameter patterns containing SQL keywords (UNION, SELECT, OR 1=1, etc.) to detect potential exploitation attempts. As a longer-term architectural improvement, ensure all database interactions use parameterized queries or ORM frameworks that prevent SQL injection by design. Note that workarounds only reduce risk and are not substitutes for applying the vendor patch.

Share

EUVD-2026-27426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy