Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AC:H because the attack depends on prior PostgreSQL read access plus offline cracking; S:C with C:H/I:H reflects the pivot to K8s ServiceAccount token and Secrets; A:N as availability is unaffected.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.
AnalysisAI
Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker first obtains READ access to the PostgreSQL database backing Kestra in order to retrieve the stored administrator SHA-512 password hash - this is the explicit, concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and the headline CVSS of 8.7 likely overstates standalone risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already compromised a read-only path to Kestra's PostgreSQL backend (e.g., via a misconfigured database account, a backup, or an adjacent service) dumps the admin credential and runs an offline GPU cracking session against the fast SHA-512 hash. Once the password is recovered they authenticate to Kestra as administrator and, in a Kubernetes deployment, read the pod's ServiceAccount token and all accessible K8s Secrets to pivot deeper into the cluster. … |
| Remediation | Vendor-released patch: 1.3.24 - upgrade Kestra to 1.3.24 or later, which addresses the weak password-hashing scheme, and rotate the administrator password after upgrading so any previously stored fast-hash value is replaced. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit PostgreSQL database access logs and identify all principals with read access to the Kestra instance; document when admin credentials were last changed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Authorization bypass in Argo Workflows (2.9.0 through 4.0.1 and 3.7.x before 3.7.11) lets any user permitted to submit W
Skipper versions before 0.23.0 allow authenticated users with Ingress resource creation privileges to execute arbitrary
Devtron is an open source tool integration platform for Kubernetes. [CVSS 8.8 HIGH]
Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attacker
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39917