CVE-2026-49869

CRITICAL 10.0

Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.

CWE	CWE-78 CWE-184 CWE-287 CWE-918
Vendor	kestra-io
Product	kestra
Published	Jun 26, 2026

Stay Ahead of the Next One

Get instant alerts for kestra-io kestra

Be the first to know when new critical vulnerabilities affecting kestra-io kestra are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

kestra-io / kestra

< 1.0.45 >= 1.1.0, < 1.3.21

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx