CVE-2026-45807
Received Received - Intake
Path Traversal in Kestra Orchestration Platform

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.). This vulnerability is fixed in 1.0.43 and 1.3.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-45807
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kestra kestra to 1.0.43 (inc)
kestra kestra to 1.3.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Kestra, an open-source event-driven orchestration platform, in versions prior to 1.0.43 and 1.3.19. Several Kestra API endpoints accept a kestra:// URI from clients and pass it through a security check called StorageInterface.parentTraversalGuard before accessing files in local storage. However, this guard only inspects the literal URI string and does not decode URL-encoded characters like %2E%2E, which represents '..'.

Because the downstream code decodes %2E%2E back to '..' and then uses this path without normalization, the operating system resolves these '..' segments during file access. This allows an authenticated user to perform directory traversal attacks, potentially reading any file the Kestra process has access to on the host filesystem, such as /etc/passwd, mounted secrets, or other tenants' execution outputs.

This vulnerability is fixed in Kestra versions 1.0.43 and 1.3.19.

Impact Analysis

This vulnerability can have serious impacts because it allows an authenticated user to read arbitrary files on the host filesystem that the Kestra process has access to. This could lead to exposure of sensitive information such as system files (/etc/passwd), mounted secrets, or data belonging to other tenants.

Such unauthorized file access can compromise confidentiality and potentially lead to further attacks or data breaches within your environment.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kestra to version 1.0.43 or 1.3.19 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart