CVE-2026-29082
Cross-Site Scripting in Kestra Markdown Preview Component
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kestra | kestra | to 1.1.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29082 is a Stored Cross-Site Scripting (XSS) vulnerability in Kestra versions up to 1.1.10, specifically in the Markdown file preview feature.
Kestra renders user-supplied Markdown (.md) files using the markdown-it library with the option html:true enabled, which allows raw HTML content. This rendered HTML is then injected into the Vue.js frontend using the v-html directive without any sanitization.
Because there is no sanitization, malicious scripts embedded in the Markdown files can execute in the context of the Kestra UI.
For example, an attacker can create a Markdown file containing an image tag with an onerror event handler that executes JavaScript code, such as alert(document.domain), which runs when the file is previewed.
How can this vulnerability impact me? :
The XSS vulnerability allows attackers to execute arbitrary JavaScript in the context of the Kestra UI origin.
- Attackers can steal JWT authentication cookies and the X-Kestra-CSRF header.
- This enables full API impersonation of administrators or other tenant users.
The vulnerability is rated High severity with a CVSS v3 score of 7.3, indicating a significant risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your Kestra installation is running version 1.1.10 or earlier and if the execution-file preview feature renders user-supplied Markdown files with markdown-it instantiated with the option html:true, allowing raw HTML rendering without sanitization.'}, {'type': 'paragraph', 'content': 'To detect exploitation or presence of malicious Markdown files, you can check for Markdown files containing suspicious inline event handlers such as onerror, onload, or ontoggle attributes in your Kestra storage or flows.'}, {'type': 'paragraph', 'content': 'A practical approach is to query the backend API endpoint that returns the raw Markdown content for preview, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<kestra-host>/api/v1/<tenant>/executions/<execId>/file/preview?path=/xss.md" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'Review the returned Markdown content for any embedded HTML tags with event handlers that could trigger JavaScript execution.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Since no patches are publicly available at the time of the advisory, immediate mitigation steps include:
- Avoid previewing or rendering user-supplied Markdown files in the Kestra UI to prevent execution of malicious scripts.
- Restrict access to the Kestra UI and API endpoints to trusted users only, minimizing the risk of malicious Markdown file uploads.
- Implement network-level controls such as firewall rules or web application firewalls (WAF) to monitor and block suspicious requests targeting the Markdown preview feature.
- Review and sanitize any Markdown content before it is uploaded or rendered, if possible, to remove unsafe HTML or event handlers.
Monitor Kestra project updates for any forthcoming patches addressing this vulnerability.