CVE-2026-49984
Received Received - Intake
Path Traversal in Kestra Orchestration Platform

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past the guard using backslashes (..\..\..\); the guard sees a harmless string, and the path is only rewritten to ../../../ after validation, immediately before the file is opened. Any authenticated user who can view an execution (the lowest-privilege role) can call GET /api/v1/{tenant}/executions/{executionId}/file?path=… and read any file on the server filesystem readable by the Kestra process, outside the storage sandbox and across every tenant and namespace. This includes the embedded H2 database (all flows, all users, all stored secrets), internal storage of every other tenant/namespace, mounted secret files, and the process environment (/proc/self/environ) which contains configured database and secret-backend credentials. It is a complete breach of Kestra's storage isolation and multi-tenancy boundary. This vulnerability is fixed in 1.0.45 and 1.3.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-49984
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kestra kestra to 1.0.45 (inc)
kestra kestra to 1.3.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Kestra, an open-source event-driven orchestration platform, specifically in its local internal-storage backend before versions 1.0.45 and 1.3.23.

The issue arises because the backend validates user-supplied file paths for directory traversal sequences (like "..") before converting Windows-style backslashes (\) to forward slashes (/). An attacker can exploit this by using backslashes to bypass the traversal validation.

After validation, the path is rewritten to include traversal sequences (e.g., ../../../), allowing the attacker to access files outside the intended storage sandbox.

Any authenticated user with the lowest privilege role (able to view an execution) can use a specific API call (GET /api/v1/{tenant}/executions/{executionId}/file?path=…) to read any file on the server filesystem that the Kestra process can read, including sensitive files like the embedded H2 database, secrets, and environment variables.

This results in a complete breach of Kestra's storage isolation and multi-tenancy boundaries.

Impact Analysis

This vulnerability allows an authenticated user with minimal privileges to read any file on the server that Kestra can access.

The attacker can access sensitive data such as all stored flows, all users' data, stored secrets, secret files mounted on the system, and environment variables containing database and secret-backend credentials.

This can lead to unauthorized disclosure of confidential information, compromise of other tenants' data in a multi-tenant environment, and potential further exploitation using the stolen credentials.

Overall, it represents a serious security breach impacting confidentiality and isolation guarantees.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kestra to version 1.0.45 or 1.3.23 or later, where the issue has been fixed.

Compliance Impact

This vulnerability allows any authenticated user with the lowest privilege to read any file on the server filesystem accessible by the Kestra process, including sensitive data such as stored secrets, database contents, and environment variables containing credentials.

Such unauthorized access to sensitive information can lead to breaches of confidentiality and data protection requirements mandated by common standards and regulations like GDPR and HIPAA.

Therefore, this vulnerability compromises the storage isolation and multi-tenancy boundaries, potentially resulting in non-compliance with these regulations due to exposure of personal data and protected health information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart