CVE-2026-34612: Kestra SQL Injection leads to RCE
Plattform
postgresql
Komponente
kestra
Behoben in
1.3.7
Kestra is an open-source event-driven orchestration platform. A SQL Injection vulnerability exists in versions prior to 1.3.7 within the `/api/v1/main/flows/search` endpoint, enabling Remote Code Execution (RCE). Authentication is required, but a crafted link is sufficient to trigger the vulnerability, leading to arbitrary OS command execution on the host. Version 1.3.7 addresses this issue.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34612?
CVE-2026-34612 is a critical SQL Injection vulnerability in Kestra orchestration platform versions prior to 1.3.7. It allows an authenticated user to execute arbitrary operating system commands on the server via the `/api/v1/main/flows/search` endpoint.
Am I affected by this vulnerability?
You are affected if you are using Kestra version 1.3.7 or earlier. Specifically, the default Docker Compose deployment is vulnerable. Verify your Kestra version and upgrade if necessary.
How do I fix this vulnerability?
Upgrade Kestra to version 1.3.7 or later to resolve this SQL Injection vulnerability and prevent Remote Code Execution. Ensure your deployment is updated promptly.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten