Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible REST endpoint requiring only a valid authenticated session (PR:L); purely a read bypass with no write or availability impact whatsoever.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.
AnalysisAI
Unauthorized file read in Kestra's execution preview API allows any authenticated tenant user to access output files from executions they do not own, bypassing both execution-level and namespace-level isolation. Affected versions span the 1.0.x branch prior to 1.0.45 and the 1.3.x branch prior to 1.3.21. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session within the same Kestra tenant (PR:L per CVSS vector); unauthenticated access is not sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N scores 6.5 (Medium), reflecting a purely network-reachable, low-complexity flaw requiring only a valid authenticated session (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Kestra user with a valid low-privilege account within a shared tenant issues GET requests to /api/v1/{tenant}/executions/{executionId}/file/preview, substituting execution IDs belonging to other users or namespaces. Because execution IDs are often sequential or UUID-based and may be discoverable through API listing endpoints, the attacker enumerates IDs and retrieves output files - potentially exposing database credentials, API keys, or sensitive business data produced by other teams' pipelines. … |
| Remediation | Upgrade to Kestra 1.0.45 (for deployments on the 1.0.x line) or Kestra 1.3.21 (for deployments on the 1.3.x line), as confirmed by the GitHub Security Advisory GHSA-r6v3-xxwj-9h42 at https://github.com/kestra-io/kestra/security/advisories/GHSA-r6v3-xxwj-9h42. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the e
Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to
Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers
Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component stor
Arbitrary file read in Kestra orchestration platform (versions prior to 1.0.43 and 1.3.19) lets an authenticated user wi
Authenticated path traversal in Kestra's local internal-storage backend (versions prior to 1.0.45 and 1.3.23) lets any l
Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject
Path traversal in Kestra's `inputFiles` task mechanism allows remote attackers to write arbitrary files to the worker fi
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39918