CVE-2026-34612: Kestra SQL Injection leads to RCE
Platform
postgresql
Component
kestra
Fixed in
1.3.7
Kestra is an open-source orchestration platform vulnerable to a SQL Injection flaw prior to version 1.3.7. This vulnerability, exploitable via the `/api/v1/main/flows/search` endpoint, can lead to Remote Code Execution (RCE) on the host system. Versions affected include those less than or equal to 1.3.7; a patch is available in version 1.3.7.
How to fix
Actualice Kestra a la versión 1.3.7 o superior para mitigar la vulnerabilidad de inyección SQL que podría permitir la ejecución remota de código. Asegúrese de aplicar la actualización en todos los entornos donde se utiliza Kestra, especialmente en despliegues Docker-Compose.
Frequently asked questions
What is CVE-2026-34612?
CVE-2026-34612 is a critical SQL Injection vulnerability in Kestra versions 1.3.7 and earlier. It allows an attacker to execute arbitrary operating system commands on the server by crafting a malicious link and exploiting the `/api/v1/main/flows/search` endpoint after authentication.
Am I affected by this vulnerability?
You are affected if you are using Kestra versions less than or equal to 1.3.7. If you are running a later version, you are not vulnerable to this specific SQL Injection flaw.
How do I fix this?
Upgrade Kestra to version 1.3.7 or later to resolve this SQL Injection vulnerability and prevent potential Remote Code Execution.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free