CVE-2026-49869

Source
https://cve.org/CVERecord?id=CVE-2026-49869
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49869.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49869
Aliases
  • GHSA-5vc5-wxxq-3fjx
Published
2026-06-26T20:58:19.576Z
Modified
2026-07-15T01:49:16.951993312Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`
Details

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-184",
        "CWE-287",
        "CWE-78",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49869.json"
}
References

Affected packages

Git / github.com/kestra-io/kestra

Affected ranges

Type
GIT
Repo
https://github.com/kestra-io/kestra
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.45"
        },
        {
            "introduced": "1.1.0"
        },
        {
            "fixed": "1.3.21"
        }
    ]
}

Affected versions

v0.*
v0.0.1234
v0.19.0
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.2
v1.0.20
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.31
v1.0.32
v1.0.33
v1.0.34
v1.0.35
v1.0.36
v1.0.37
v1.0.38
v1.0.39
v1.0.4
v1.0.40
v1.0.41
v1.0.42
v1.0.43
v1.0.44
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.3.0
v1.3.0-rc0
v1.3.0-rc1
v1.3.1
v1.3.11
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49869.json"