CVE-2026-53576 kestra-io CVE debrief

Who should care

Users of Kestra, especially those who have exposed the platform to untrusted networks or have not properly secured their instances, should be concerned about this vulnerability. The vulnerability's critical severity and potential for code execution as root on the host system make it a high-priority issue to address.

Technical summary

The authentication filter for Kestra's REST API incorrectly handles requests ending in /configs, treating them as the public instance-config endpoint. This bypasses Basic-Auth checks, allowing unauthenticated attackers to create flows and trigger executions. The vulnerability exists because Kestra addresses resources by URL path segments chosen by the caller. An attacker can create a flow with a Shell or Process task, which executes as root inside the Kestra container. Given that the official docker-compose.yml mounts /var/run/docker.sock, an attacker can potentially execute code on the host system.

Defensive priority

This vulnerability has a CVSS score of 10 and is classified as CRITICAL. It is essential to update Kestra to versions 1.0.45 or 1.3.21 immediately or apply compensating controls to mitigate the risk.

Recommended defensive actions

• Update Kestra to version 1.0.45 or 1.3.21.
• Restrict access to the Kestra API to trusted networks only.
• Implement additional authentication and authorization mechanisms for the Kestra API.
• Monitor Kestra API logs for suspicious activity.
• Perform regular security audits and vulnerability assessments.

Evidence notes

The vulnerability is confirmed by the Kestra security advisory (GHSA-2q47-568g-9h4f) and the CVE record. The NVD provides additional details about the vulnerability, including its CVSS score and vector.

Official resources