CVE-2026-38428
Analyzed Analyzed - Analysis Complete

SQL Injection in Kestra Workflow Automation

Vulnerability report for CVE-2026-38428, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: MITRE

Description

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kestra kestra to 1.0.35 (exc)
kestra kestra From 1.1.0 (inc) to 1.3.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-38428 is a SQL Injection vulnerability in Kestra version 1.3.3 and earlier. It occurs because user input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. This allows attackers to inject arbitrary SQL expressions into the database query.

More specifically, the vulnerability arises from unsafe concatenation of user-supplied parameters into SQL strings used in JSONB containment expressions, which can be exploited to execute arbitrary SQL commands. In some cases, this can lead to remote code execution by leveraging database features such as PostgreSQL's COPY ... TO PROGRAM or H2's FILE_WRITE() function.

Impact Analysis

This vulnerability can have severe impacts including unauthorized data access, data manipulation, and remote code execution on the host running the database. Attackers can inject malicious SQL that may lead to disclosure of sensitive information, modification or deletion of data, and execution of arbitrary operating system commands.

The vulnerability has a critical CVSS score of 10.0, indicating it is easy to exploit remotely with low privileges and no user interaction required, and it affects confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability can be detected by attempting to verify if the SQL Injection flaw is exploitable through the GET /api/v1/main/flows/search endpoint with authenticated access.

A practical detection method involves sending a crafted request that injects a SQL payload to execute a command on the database server, such as writing the output of the `id` command to a file.

For example, an injected payload using PostgreSQL's COPY ... TO PROGRAM feature can be used:

  • Send a GET request with parameters that inject: `COPY (SELECT '') TO PROGRAM 'bash -c "id > /tmp/pwned"';`

After sending the payload, check the existence and contents of the file `/tmp/pwned` inside the PostgreSQL container or host to confirm exploitation.

If Kestra uses H2 as the database backend, a similar test can be performed by injecting a payload that writes to a file using H2's FILE_WRITE() function, for example writing "Hello world" to `/tmp/hello.txt`.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of Kestra versions 1.3.3 and earlier, which are vulnerable to this SQL Injection.

Upgrade Kestra to version 1.3.7 or later, where this vulnerability has been fixed by replacing unsafe string concatenation with parameterized queries and proper JSONB operators.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint to trusted users only, as exploitation requires authenticated access.

Additionally, review and implement input validation and sanitization to prevent injection of untrusted input into SQL queries.

Consider adding monitoring and alerting for suspicious database queries or unexpected file writes on the host.

Compliance Impact

The vulnerability in Kestra versions 1.3.3 and before is a SQL Injection flaw that allows attackers to inject arbitrary SQL expressions into the database query. This can lead to unauthorized access, data manipulation, and potentially remote code execution, which compromises the confidentiality, integrity, and availability of data.

Such security breaches can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and mandate controls to prevent unauthorized access and data breaches.

Specifically, exploitation of this vulnerability could lead to exposure or alteration of personal or protected health information, violating data protection requirements and potentially resulting in legal and financial penalties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart