10.0 CVSS Flaw in Kestra Grants Full Server Control

A critical security vulnerability has been unmasked in Kestra, the popular open-source, event-driven orchestration platform. The flaw, tracked as CVE-2026-34612, carries a maximum CVSS score of 10.0, signaling that a successful exploit can lead to a complete compromise of the host server.

Kestra is designed to simplify complex workflows using Infrastructure as Code principles, but a breakdown in its internal database logic has created a dangerous shortcut for attackers. The vulnerability is rooted in a SQL Injection flaw found within the platform’s search functionality.

The technical cause is a lack of parameter binding in the PostgresFlowRepositoryService. When a user searches for flows using labels, the application directly concatenates the search parameters into a SQL string.

As the technical report explains, “An attacker can break out of the JSON string and inject an entire new SQL statement (stacked query). The sql string is passed directly into DSL.condition(sql), so untrusted key and value are injected into the SQL query without parameterization”.

While many SQL injections are used only to steal data, this flaw is far more potent because of how it interacts with the underlying PostgreSQL database. Because Kestra’s default Docker-compose deployment often runs with high privileges, an attacker can use “stacked queries” to execute powerful administrative commands.

The attack chain is remarkably simple for an authenticated user:

1. The attacker visits or tricks another user into clicking a specially crafted link.
2. The malicious link triggers the GET /api/v1/main/flows/search endpoint.
3. The injected payload is executed by PostgreSQL using the COPY … TO PROGRAM … command.
4. This command allows the attacker to run arbitrary OS commands directly on the host machine.

Because the attacker can execute any command on the host, the impact is total. Once inside, an adversary can:

1. Exfiltrate sensitive YAML workflows and secrets.
2. Deploy malware or ransomware across the microservice architecture.
3. Pivot to other infrastructure managed by the Kestra platform.

The vulnerability affects Kestra versions 1.3.6 and earlier. The development team has responded rapidly, releasing patches that implement proper input escaping and parameterization.

Administrators are urged to upgrade to the following versions immediately:

• v1.3.7 or later.
• v1.0.35 (for those on the 1.0.x branch).