Path Traversal Vulnerability in Kestra Orchestration Platform
CVE-2026-48129

6.5MEDIUM

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-48129?

Kestra, an event-driven orchestration platform, has a path traversal vulnerability in its handling of task input file names. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, the platform allowed users to exploit the inputFiles parameter. By injecting untrusted execution or webhook data that includes ../ path segments, attackers could potentially create or overwrite files outside of the designated task working directory on the worker filesystem. Users are advised to upgrade to the patched versions to mitigate this risk.

Affected Version(s)

kestra < 1.0.43 < 1.0.43

kestra >= 1.1.0, < 1.1.19 < 1.1.0, 1.1.19

kestra >= 1.2.0, < 1.2.19 < 1.2.0, 1.2.19

References

https://github.com/kestra-io/kestra/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48129 Data

JSON

Kestra-io

What is CVE-2026-48129?

Affected Version(s)

References

CVSS V3.1

Timeline