CVE-2026-49869
Received Received - Intake
Authentication Bypass in Kestra Leading to RCE

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-49869
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kestra kestra to 1.3.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Kestra is an open-source orchestration platform that had a vulnerability in its AuthenticationFilter before versions 1.0.45 and 1.3.21. The filter used a suffix match to whitelist the public configuration endpoint by checking if the request path ended with "/configs". Because this was a suffix match rather than an exact match, any API path ending with "configs" could bypass authentication.

This flaw allows an unauthenticated remote attacker to create and execute arbitrary workflows without needing credentials. Since Kestra includes script execution plugins enabled by default, this leads to unauthenticated remote code execution as root inside the Kestra worker container.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass authentication and execute arbitrary workflows remotely without any credentials.

Due to the default inclusion of script execution plugins, an attacker can achieve remote code execution with root privileges inside the Kestra worker container, potentially compromising the entire system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kestra to version 1.0.45 or 1.3.21 or later, where the issue with the AuthenticationFilter has been fixed.

Compliance Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary workflows and remote code execution as root within the Kestra worker container. Such unauthorized access and control can lead to exposure, modification, or destruction of sensitive data.

As a result, organizations using vulnerable versions of Kestra may fail to meet security requirements mandated by common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, this vulnerability poses a significant risk to compliance with these regulations due to the potential for unauthorized data access and system compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart