SQL Injection Vulnerability in Kestra by Kestra-io
CVE-2026-38428

9.8CRITICAL

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-38428?

Kestra versions prior to 1.3.3 are susceptible to an SQL Injection vulnerability due to the insecure handling of user input from a GET parameter. This flaw allows attackers to inject arbitrary SQL code into the database queries, potentially compromising the integrity and confidentiality of stored data. Proper input validation and parameterization of SQL queries are essential to mitigate the risks associated with this vulnerability.

References

https://www.link.com

https://github.com/kestra-io/kestra/security/advisories/G...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38428 Data

JSON