CRITICAL🇵🇱 Wersja polska

CVE-2026-38428

CVSS 9.8v3.1pub. 2026-05-05upd. 2026-05-08

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

🤖 AI Analysis
How it works

The vulnerability results from directly concatenating user input data — passed through the GET request parameter — with the content of the SQL query, without applying proper sanitization or query parameterization. An attacker can craft a malicious GET parameter value that will be interpreted by the database engine as part of the SQL query. As a result, arbitrary modification of the query logic executed by the application is possible.

Impact

An attacker can gain unauthorized access to data stored in the database, modify or delete data, and depending on the database configuration — potentially take control of the database server or cause it to become unavailable.

Mitigation & patch

Kestra must be updated to a version newer than 1.3.3. Detailed information about available patches can be found in the official security advisory from the vendor at: https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

Who is affected

Kestra in version 1.3.3 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Kestra

    APP
    Kestra
    < 1.0.351.1.0 – 1.3.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-53576CRITICAL10.0PL ✓ten sam produkt

Kestra: Pominięcie uwierzytelnienia REST API prowadzące do RCE jako root

CVE-2026-49869CRITICAL10.0PL ✓ten sam produkt

Kestra: Auth Bypass umożliwiający nieuwierzytelniony RCE jako root

CVE-2026-34612CRITICAL9.9PL ✓ten sam produkt

SQL Injection prowadzący do RCE w platformie Kestra (endpoint wyszukiwania flows)

CVE-2026-55069HIGH8.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in t...

CVE-2026-45807HIGH7.7ten sam produkt

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API ...