Platform
docker
Component
docker
Fixed in
1.3.8
CVE-2026-34612 describes a critical SQL Injection vulnerability discovered in Kestra, an open-source event-driven orchestration platform. This flaw allows for Remote Code Execution (RCE) through the /api/v1/main/flows/search endpoint, requiring only authentication and a crafted link. The vulnerability impacts deployments using the default docker-compose configuration and has been resolved in version 1.3.7.
The impact of CVE-2026-34612 is severe due to the potential for Remote Code Execution. An attacker, once authenticated, can trigger the SQL Injection simply by visiting a specially crafted URL. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., effectively allowing the attacker to run arbitrary operating system commands on the host machine running the Kestra instance. This grants the attacker complete control over the affected system, enabling data exfiltration, malware installation, and lateral movement within the network. The ease of exploitation, requiring only authentication and a URL visit, significantly increases the risk of widespread compromise.
CVE-2026-34612 is a high-severity vulnerability due to its ease of exploitation and potential for RCE. Public proof-of-concept code is likely to emerge given the vulnerability's nature. The vulnerability was publicly disclosed on 2026-04-03. It is recommended to monitor CISA KEV for updates regarding this vulnerability.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34612 is to immediately upgrade Kestra to version 1.3.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation on the /api/v1/main/flows/search endpoint to sanitize user-supplied data. While not a complete fix, this can reduce the attack surface. Additionally, review PostgreSQL permissions to ensure the COPY TO PROGRAM functionality is restricted to trusted users and processes. Monitor PostgreSQL logs for unusual activity, specifically queries containing suspicious commands. After upgrading, confirm the vulnerability is resolved by attempting the crafted URL from the vulnerability description and verifying that no OS commands are executed.
Update Kestra to version 1.3.7 or higher to mitigate the SQL Injection vulnerability that could allow remote code execution. Ensure the update is applied in all environments where Kestra is used, especially Docker-Compose deployments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34612 is a critical SQL Injection vulnerability in Kestra versions prior to 1.3.7, allowing for Remote Code Execution via a crafted URL on the /api/v1/main/flows/search endpoint.
You are affected if you are running Kestra versions prior to 1.3.7, particularly those using the default docker-compose deployment configuration.
Upgrade Kestra to version 1.3.7 or later. As a temporary workaround, implement strict input validation on the /api/v1/main/flows/search endpoint.
While there is no confirmed active exploitation at the time of this writing, the ease of exploitation suggests it is likely to be targeted.
Refer to the Kestra project's official security advisories and release notes for details: [https://kestra.io/](https://kestra.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.