CVE-2026-38428
SQL Injection in Kestra Workflow Automation
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kestra | kestra | to 1.3.3 (inc) |
| kestra | kestra | to 1.3.7 (exc) |
| stripe | link | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to verify if the SQL Injection flaw is exploitable through the GET /api/v1/main/flows/search endpoint with authenticated access.
A practical detection method involves sending a crafted request that injects a SQL payload to execute a command on the database server, such as writing the output of the `id` command to a file.
For example, an injected payload using PostgreSQL's COPY ... TO PROGRAM feature can be used:
- Send a GET request with parameters that inject: `COPY (SELECT '') TO PROGRAM 'bash -c "id > /tmp/pwned"';`
After sending the payload, check the existence and contents of the file `/tmp/pwned` inside the PostgreSQL container or host to confirm exploitation.
If Kestra uses H2 as the database backend, a similar test can be performed by injecting a payload that writes to a file using H2's FILE_WRITE() function, for example writing "Hello world" to `/tmp/hello.txt`.
Can you explain this vulnerability to me?
CVE-2026-38428 is a SQL Injection vulnerability in Kestra version 1.3.3 and earlier. It occurs because user input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL expressions into the database query.
More specifically, the vulnerability arises from unsafe concatenation of user-supplied parameters into SQL strings used in JSONB containment expressions, which can be exploited to execute arbitrary SQL commands. In some cases, this can lead to remote code execution by leveraging database features such as PostgreSQL's COPY ... TO PROGRAM or H2's FILE_WRITE() function.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized data access, data manipulation, and remote code execution on the host running the database. Attackers can inject malicious SQL that may lead to disclosure of sensitive information, modification or deletion of data, and execution of arbitrary operating system commands.
The vulnerability has a critical CVSS score of 10.0, indicating it is easy to exploit remotely with low privileges and no user interaction required, and it affects confidentiality, integrity, and availability of the system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of Kestra versions 1.3.3 and earlier, which are vulnerable to this SQL Injection.
Upgrade Kestra to version 1.3.7 or later, where this vulnerability has been fixed by replacing unsafe string concatenation with parameterized queries and proper JSONB operators.
If upgrading immediately is not possible, restrict access to the vulnerable endpoint to trusted users only, as exploitation requires authenticated access.
Additionally, review and implement input validation and sanitization to prevent injection of untrusted input into SQL queries.
Consider adding monitoring and alerting for suspicious database queries or unexpected file writes on the host.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kestra versions 1.3.3 and before is a SQL Injection flaw that allows attackers to inject arbitrary SQL expressions into the database query. This can lead to unauthorized access, data manipulation, and potentially remote code execution, which compromises the confidentiality, integrity, and availability of data.
Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and mandate controls to prevent unauthorized access and data breaches.
Specifically, exploitation of this vulnerability could lead to exposure or alteration of personal or protected health information, violating data protection requirements and potentially resulting in legal and financial penalties.