PatchSiren cyber security CVE debrief
CVE-2026-45807 kestra-io CVE debrief
CVE-2026-45807 is a high-severity vulnerability in Kestra, an open-source, event-driven orchestration platform. The vulnerability exists in several Kestra API endpoints that accept a kestra:// URI from clients and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. An authenticated user can exploit this vulnerability to read any file on the host filesystem, including sensitive files such as /etc/passwd, mounted secrets, and other tenants' execution outputs. The vulnerability is fixed in Kestra versions 1.0.43 and 1.3.19. This CVE was published on June 26, 2026, and modified on June 29, 2026.
- Vendor
- kestra-io
- Product
- kestra
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-06-29
Who should care
Users of Kestra, especially those with sensitive data or high-security requirements, should be aware of this vulnerability and take immediate action to patch their systems. Security teams and administrators responsible for Kestra deployments should prioritize patching to prevent potential exploitation. Additionally, users with access to Kestra's API should be cautious of potential phishing attacks that could exploit this vulnerability.
Technical summary
The vulnerability in Kestra's API allows an authenticated user to bypass the StorageInterface.parentTraversalGuard by URL-encoding a .. segment as %2E%2E. This enables the user to read any file on the host filesystem by manipulating the kestra:// URI. The downstream code decodes the URI and hands the resulting path to Paths.get() without normalization, allowing the OS to resolve the .. segments at open(2) time. This vulnerability has a CVSS score of 7.7 and is classified as HIGH severity.
Defensive priority
High priority should be given to patching Kestra deployments to prevent exploitation of this vulnerability. Administrators should ensure that all Kestra instances are upgraded to versions 1.0.43 or 1.3.19, or later, as soon as possible.
Recommended defensive actions
- Patch Kestra deployments to versions 1.0.43 or 1.3.19, or later.
- Review and monitor Kestra API logs for potential exploitation attempts.
- Implement additional security measures, such as restricting access to sensitive files and monitoring for suspicious activity.
- Conduct a thorough inventory of Kestra deployments and prioritize patching based on risk and exposure.
- Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation attempts.
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. The source item URL provides additional metadata about the CVE. The reference to the Kestra security advisory provides further context and details about the vulnerability and its fix.
Official resources
-
CVE-2026-45807 CVE record
CVE.org
-
CVE-2026-45807 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.