CVE-2026-34612CRITICAL 9.0EPSS p46.5%

CVE-2026-34612CVE-2026-34612

Description

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.5% · 2026-06-19T12:03:05Z
Published2026-04-03
Last modified2026-04-13

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/kestra-io/kestra/commit/3926762795df8ad3e03924b370c51832ed3a21d3
  2. https://github.com/kestra-io/kestra/releases/tag/v1.3.7
  3. https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x
  4. https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-38428
CVE
CVE-2026-30860
CVE
CVE-2026-3960
CVE
CVE-2025-24669
CVE
CVE-2026-35171
CVE
CVE-2026-25241
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.