CVE-2026-49984 kestra-io CVE debrief

Who should care

Users of Kestra, especially those with sensitive data stored in the platform, should be aware of this vulnerability. Authenticated users with the lowest-privilege role can exploit this vulnerability to access sensitive data across all tenants and namespaces.

Technical summary

The vulnerability exists in the local internal-storage backend of Kestra. The backend validates user-supplied paths for .. traversal before converting Windows-style backslashes to forward slashes. An attacker can smuggle a traversal sequence past the guard using backslashes, allowing them to read any file on the server filesystem readable by the Kestra process. This can be exploited by calling GET /api/v1/{tenant}/executions/{executionId}/file?path=… with a malicious path.

Defensive priority

High priority should be given to upgrading Kestra to versions 1.0.45 or 1.3.23. In the meantime, defenders should restrict access to the affected API endpoint and monitor for suspicious activity.

Recommended defensive actions

• Upgrade Kestra to version 1.0.45 or 1.3.23
• Restrict access to the affected API endpoint
• Monitor for suspicious activity
• Review and update access controls for Kestra users
• Perform a thorough review of Kestra's storage and filesystem configurations

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional context on the vulnerability. The reference to the GitHub security advisory provides further details on the vulnerability and the fix.

Official resources