Executive Summary

CVE-2026-29082 is a Stored Cross-Site Scripting (XSS) vulnerability in Kestra versions up to 1.1.10, specifically in the Markdown file preview feature.

Kestra renders user-supplied Markdown (.md) files using the markdown-it library with the option html:true enabled, which allows raw HTML content. This rendered HTML is then injected into the Vue.js frontend using the v-html directive without any sanitization.

Because there is no sanitization, malicious scripts embedded in the Markdown files can execute in the context of the Kestra UI.

For example, an attacker can create a Markdown file containing an image tag with an onerror event handler that executes JavaScript code, such as alert(document.domain), which runs when the file is previewed.

Useful 0 Not Useful 0

Impact Analysis

The XSS vulnerability allows attackers to execute arbitrary JavaScript in the context of the Kestra UI origin.

• Attackers can steal JWT authentication cookies and the X-Kestra-CSRF header.
• This enables full API impersonation of administrators or other tenant users.

The vulnerability is rated High severity with a CVSS v3 score of 7.3, indicating a significant risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your Kestra installation is running version 1.1.10 or earlier and if the execution-file preview feature renders user-supplied Markdown files with markdown-it instantiated with the option html:true, allowing raw HTML rendering without sanitization.'}, {'type': 'paragraph', 'content': 'To detect exploitation or presence of malicious Markdown files, you can check for Markdown files containing suspicious inline event handlers such as onerror, onload, or ontoggle attributes in your Kestra storage or flows.'}, {'type': 'paragraph', 'content': 'A practical approach is to query the backend API endpoint that returns the raw Markdown content for preview, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<kestra-host>/api/v1/<tenant>/executions/<execId>/file/preview?path=/xss.md" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'Review the returned Markdown content for any embedded HTML tags with event handlers that could trigger JavaScript execution.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Since no patches are publicly available at the time of the advisory, immediate mitigation steps include:

• Avoid previewing or rendering user-supplied Markdown files in the Kestra UI to prevent execution of malicious scripts.
• Restrict access to the Kestra UI and API endpoints to trusted users only, minimizing the risk of malicious Markdown file uploads.
• Implement network-level controls such as firewall rules or web application firewalls (WAF) to monitor and block suspicious requests targeting the Markdown preview feature.
• Review and sanitize any Markdown content before it is uploaded or rendered, if possible, to remove unsafe HTML or event handlers.

Monitor Kestra project updates for any forthcoming patches addressing this vulnerability.

Useful 0 Not Useful 0