CVE-2026-38428 in kestrainformación

Resumen

por MITRE • 2026-05-05

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Reservar

2026-03-30

Divulgación

2026-05-05

Moderación

aceptado

Artículo

VDB-355248

CPE

listo

CWE

CWE-89 (confirmado)

CVSS

9.9 (CNA)

EPSS

0.00067

KEV

Actividades

muy bajo

Fuentes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-38428
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-38428
CVE Details	https://www.cvedetails.com/cve/CVE-2026-38428/

◂ Anterior Visión De Conjunto Próximo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!