Authentication Bypass in Kestra Orchestration Platform by Kestra
CVE-2026-53576

10CRITICAL

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-53576?

The Kestra orchestration platform suffers from an authentication bypass vulnerability in its REST API. Specifically, any request ending with '/configs' is treated as public, bypassing necessary credential checks. This lack of authentication allows unauthorized users to create and execute flows, potentially leading to execution of harmful tasks as root within the container. Since the container's configuration mounts the Docker socket, it poses a significant risk, enabling an attacker to control the host's Docker daemon. This issue has been mitigated in versions 1.0.45 and 1.3.21.

Affected Version(s)

kestra < 1.0.45 < 1.0.45

kestra >= 1.1.0, < 1.3.21 < 1.1.0, 1.3.21

References

https://github.com/kestra-io/kestra/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53576 Data

JSON

Kestra-io

What is CVE-2026-53576?

Affected Version(s)

References

CVSS V3.1

Timeline