Detection Guidance

This vulnerability can be detected by attempting to verify if the SQL Injection flaw is exploitable through the GET /api/v1/main/flows/search endpoint with authenticated access.

A practical detection method involves sending a crafted request that injects a SQL payload to execute a command on the database server, such as writing the output of the `id` command to a file.

For example, an injected payload using PostgreSQL's COPY ... TO PROGRAM feature can be used:

• Send a GET request with parameters that inject: `COPY (SELECT '') TO PROGRAM 'bash -c "id > /tmp/pwned"';`

After sending the payload, check the existence and contents of the file `/tmp/pwned` inside the PostgreSQL container or host to confirm exploitation.

If Kestra uses H2 as the database backend, a similar test can be performed by injecting a payload that writes to a file using H2's FILE_WRITE() function, for example writing "Hello world" to `/tmp/hello.txt`.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Kestra versions 1.3.3 and earlier, which are vulnerable to this SQL Injection.

Upgrade Kestra to version 1.3.7 or later, where this vulnerability has been fixed by replacing unsafe string concatenation with parameterized queries and proper JSONB operators.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint to trusted users only, as exploitation requires authenticated access.

Additionally, review and implement input validation and sanitization to prevent injection of untrusted input into SQL queries.

Consider adding monitoring and alerting for suspicious database queries or unexpected file writes on the host.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Kestra versions 1.3.3 and before is a SQL Injection flaw that allows attackers to inject arbitrary SQL expressions into the database query. This can lead to unauthorized access, data manipulation, and potentially remote code execution, which compromises the confidentiality, integrity, and availability of data.

Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and mandate controls to prevent unauthorized access and data breaches.

Specifically, exploitation of this vulnerability could lead to exposure or alteration of personal or protected health information, violating data protection requirements and potentially resulting in legal and financial penalties.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-38428 is a SQL Injection vulnerability in Kestra version 1.3.3 and earlier. It occurs because user input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL expressions into the database query.

More specifically, the vulnerability arises from unsafe concatenation of user-supplied parameters into SQL strings used in JSONB containment expressions, which can be exploited to execute arbitrary SQL commands. In some cases, this can lead to remote code execution by leveraging database features such as PostgreSQL's COPY ... TO PROGRAM or H2's FILE_WRITE() function.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized data access, data manipulation, and remote code execution on the host running the database. Attackers can inject malicious SQL that may lead to disclosure of sensitive information, modification or deletion of data, and execution of arbitrary operating system commands.

The vulnerability has a critical CVSS score of 10.0, indicating it is easy to exploit remotely with low privileges and no user interaction required, and it affects confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0