Remote Code Execution Vulnerability in Kestra Event-Driven Orchestration Platform
CVE-2026-29082

7.3HIGH

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-29082?

The Kestra platform's execution-file preview feature is vulnerable due to improper handling of user-supplied Markdown (.md) files. In versions 1.1.10 and earlier, this feature uses the 'markdown-it' library to render Markdown into HTML, with the rendered HTML being injected into the application using Vue's 'v-html' directive without proper sanitization. This flaw could potentially allow an attacker to execute arbitrary HTML or JavaScript code, leading to security risks including remote code execution. At the time of this report, there are no publicly available patches to mitigate this vulnerability.

Affected Version(s)

kestra <= 1.1.10

References

https://github.com/kestra-io/kestra/security/advisories/G...

x_refsource_CONFIRM

https://github.com/kestra-io/kestra/releases/tag/v1.0.30

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-29082 Data

JSON

Kestra-io

What is CVE-2026-29082?

Affected Version(s)

References

CVSS V3.1

Timeline