Unauthenticated Remote Code Execution in Kestra Orchestration Platform
CVE-2026-49869

10CRITICAL

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-49869?

Kestra is an open-source orchestration platform that allows users to manage event-driven workflows. An issue exists in its AuthenticationFilter, where the public configuration endpoint is improperly secured by being checked only for suffix matches. This oversight permits remote attackers to gain unauthorized access to endpoints that end with '/configs'. Consequently, this flaw enables these attackers to execute arbitrary workflows without the need for valid credentials. Given that Kestra comes with script execution plugins enabled by default, this can lead to remote code execution as root within the Kestra worker container, posing significant security risks. The vulnerability is addressed in versions 1.0.45 and 1.3.21.

Affected Version(s)

kestra < 1.0.45 < 1.0.45

kestra >= 1.1.0, < 1.3.21 < 1.1.0, 1.3.21

References

https://github.com/kestra-io/kestra/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 1, 2026

CVE-2026-49869 Data

JSON

Kestra-io

What is CVE-2026-49869?

Affected Version(s)

References

CVSS V3.1

Timeline