kestra-io kestra up to 1.0.44/1.3.20 previewFileFromExecution Endpoint /api/v1 authorization

Summaryinfo

A vulnerability was found in kestra-io kestra up to 1.0.44/1.3.20. It has been declared as problematic. The impacted element is an unknown function of the file /api/v1 of the component previewFileFromExecution Endpoint. The manipulation results in authorization. This vulnerability is identified as CVE-2026-53577. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in kestra-io kestra up to 1.0.44/1.3.20. Affected is some unknown processing of the file /api/v1 of the component previewFileFromExecution Endpoint. The manipulation with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-863. The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. This is going to have an impact on confidentiality. CVE summarizes:

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-53577 since 06/09/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. There are known technical details, but no exploit is available.

Upgrading to version 1.0.45 or 1.3.21 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-39918). Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• kestra-io

Name

• kestra

Version

• 1.0.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.0.10
• 1.0.11
• 1.0.12
• 1.0.13
• 1.0.14
• 1.0.15
• 1.0.16
• 1.0.17
• 1.0.18
• 1.0.19
• 1.0.20
• 1.0.21
• 1.0.22
• 1.0.23
• 1.0.24
• 1.0.25
• 1.0.26
• 1.0.27
• 1.0.28
• 1.0.29
• 1.0.30
• 1.0.31
• 1.0.32
• 1.0.33
• 1.0.34
• 1.0.35
• 1.0.36
• 1.0.37
• 1.0.38
• 1.0.39
• 1.0.40
• 1.0.41
• 1.0.42
• 1.0.43
• 1.0.44
• 1.3.0
• 1.3.1
• 1.3.2
• 1.3.3
• 1.3.4
• 1.3.5
• 1.3.6
• 1.3.7
• 1.3.8
• 1.3.9
• 1.3.10
• 1.3.11
• 1.3.12
• 1.3.13
• 1.3.14
• 1.3.15
• 1.3.16
• 1.3.17
• 1.3.18
• 1.3.19
• 1.3.20

Website

• Product: https://github.com/kestra-io/kestra/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion