Access Control Bypass in Kestra Orchestration Platform
CVE-2026-53577

6.5MEDIUM

Key Information:

Vendor: Kestra-io
Status: Kestra
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-53577?

Kestra, an open-source event-driven orchestration platform, has a vulnerability in the previewFileFromExecution endpoint. This security flaw enables any authenticated user to gain access to output files from all executions within the same tenant, thus circumventing the intended execution-level and namespace-level isolation. The issue is addressed in versions 1.0.45 and 1.3.21, making it essential for users on earlier versions to update to safeguard their data.

Affected Version(s)

kestra < 1.0.45 < 1.0.45

kestra >= 1.1.0, < 1.3.21 < 1.1.0, 1.3.21

References

https://github.com/kestra-io/kestra/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53577 Data

JSON

Kestra-io

What is CVE-2026-53577?

Affected Version(s)

References

CVSS V3.1

Timeline