Back

Critical SQL Injection Vulnerability in Kestra (CVE-2026-34612)

Severity: High (Score: 74.0)

Sources: Mondoo, Feedly

Summary

A critical SQL Injection vulnerability, identified as CVE-2026-34612, affects Kestra versions prior to 1.3.7. This vulnerability exists in the GET /api/v1/main/flows/ endpoint of the default Docker Compose deployment, allowing authenticated users to execute arbitrary OS commands on the host system via crafted links. The vulnerability is classified with a CVSS score of 9.9, indicating a severe risk to confidentiality, integrity, and availability. Although no public proof-of-concept or evidence of exploitation has been reported, the potential for Remote Code Execution (RCE) poses a significant threat. Users are strongly advised to upgrade to version 1.3.7 or later to mitigate the risk. Until patching is feasible, restricting network access and implementing network segmentation are recommended. The CVE was published on April 3, 2026, and patches are available. Key Points: • CVE-2026-34612 is a critical SQL Injection vulnerability in Kestra affecting versions prior to 1.3.7. • The vulnerability allows authenticated users to trigger Remote Code Execution via crafted links. • Users are advised to upgrade to version 1.3.7 immediately to mitigate risks.

Key Entities

  • Sql Injection (attack_type)
  • CVE-2026-34612 (cve)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Docker (tool)
  • Docker Compose (platform)
  • Kestra (platform)
  • PostgreSQL (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed