Critical SQL Injection Vulnerability in Kestra (CVE-2026-34612)

Critical SQL Injection Vulnerability in Kestra (CVE-2026-34612)

First seen 5 Apr 2026, 02:30 UTC FeedlyMondoo 87% similarity 74.0

Article Content

Browse articles
ThreatCluster

A critical SQL Injection vulnerability, identified as CVE-2026-34612, affects Kestra versions prior to 1.3.7. This vulnerability exists in the GET /api/v1/main/flows/ endpoint of the default Docker Compose deployment, allowing authenticated users to execute arbitrary OS commands on the host system via crafted links. The vulnerability is classified with a CVSS score of 9.9, indicating a severe risk to confidentiality, integrity, and availability. Although no public proof-of-concept or evidence of exploitation has been reported, the potential for Remote Code Execution (RCE) poses a significant threat. Users are strongly advised to upgrade to version 1.3.7 or later to mitigate the risk. Until patching is feasible, restricting network access and implementing network segmentation are recommended. The CVE was published on April 3, 2026, and patches are available.

Key Points: • CVE-2026-34612 is a critical SQL Injection vulnerability in Kestra affecting versions prior to 1.3.7. • The vulnerability allows authenticated users to trigger Remote Code Execution via crafted links. • Users are advised to upgrade to version 1.3.7 immediately to mitigate risks.

ThreatCluster AI

Timeline

2026-04-03
CVE-2026-34612 published
2026-04-04
Articles published detailing the vulnerability and its impact

Community

Browse all →