SQL Injection Vulnerability in Kestra Event-Driven Orchestration Platform

CVE-2026-34612

What is CVE-2026-34612?

CVE-2026-34612 is a significant SQL injection vulnerability present in the Kestra Event-Driven Orchestration Platform, which is an open-source solution designed to manage and automate workflows in a decentralized manner. This vulnerability affects versions prior to 1.3.7 and stems from improper validation of user input at the designated endpoint "GET /api/v1/main/flows/search." When an authenticated user visits a malicious link, it allows an attacker to inject SQL commands that can lead to Remote Code Execution (RCE) on the host system. This execution occurs through the PostgreSQL database's capability to run arbitrary commands using the COPY … TO PROGRAM command, posing a severe risk to the integrity and security of the organization's infrastructure.

Potential impact of CVE-2026-34612

1. Remote Code Execution: The most critical impact of this vulnerability is that it allows attackers to execute arbitrary OS commands on the server hosting Kestra. This could facilitate unauthorized access, data manipulation, or complete control over the affected system.

2. Data Breaches: Exploitation of this vulnerability can result in unauthorized access to sensitive data stored within the Kestra platform, potentially leading to significant data breaches. Compromised data can include personally identifiable information (PII), business secrets, or operational data that could be exploited for malicious purposes.

3. Operational Disruption: Successful exploitation may lead to disruption of services managed by the Kestra platform. If an attacker takes control of critical infrastructure or workflows, it could hinder an organization’s operational capabilities, resulting in financial losses and reputational damage.

References