Skip to main content

Kestra EUVDEUVD-2026-38081

| CVE-2026-48129 MEDIUM
Path Traversal (CWE-22)
2026-06-19 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable via webhook (AV:N) but requires specific flow configuration forwarding untrusted input (AC:H); file write only with no read primitive confirms C:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 23:17 EUVD
Analysis Generated
Jun 19, 2026 - 20:49 vuln.today

DescriptionCVE.org

Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task inputFiles writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an inputFiles file name, a caller can use ../ path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.

AnalysisAI

Path traversal in Kestra's inputFiles task mechanism allows remote attackers to write arbitrary files to the worker filesystem when flows forward untrusted webhook or execution data as file names. Affected across four release branches (prior to 1.3.19, 1.2.19, 1.1.19, and 1.0.43), exploitation depends on a specific flow design pattern but requires no authentication if the target webhook is publicly accessible. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Kestra webhook forwarding input to inputFiles
Delivery
Craft payload embedding path traversal sequences
Exploit
Submit HTTP request to webhook endpoint
Execution
Worker renders unsanitized filename
Impact
Arbitrary file written outside task directory on worker host

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions: first, a Kestra flow must be configured to pass externally supplied data - webhook payload fields or execution input parameters - directly into the file name (key) of an `inputFiles` task entry, which is a non-default flow design choice made by a developer; second, the attacker must be able to trigger that flow, either through a publicly accessible webhook URL or via whatever access control governs the Kestra execution API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L) captures the key risk profile: network-reachable with no credential requirement, but gated by high attack complexity reflecting the prerequisite that a vulnerable flow configuration must exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates a Kestra instance with a publicly accessible webhook that triggers a flow passing the webhook payload's filename field directly into `inputFiles`. The attacker sends a crafted HTTP POST containing a file name such as `../../etc/cron.d/pwned`, causing the Kestra worker to write attacker-controlled content to an arbitrary path on the worker filesystem. …
Remediation Upgrade Kestra to the patched release corresponding to the deployed branch: 1.3.19, 1.2.19, 1.1.19, or 1.0.43. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy