PT-2026-30266 · Kestra · Kestra

Blvck-Ltr

·

Published

2026-04-03

·

Updated

2026-04-09

·

CVE-2026-34612

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.3.7
Description Kestra is an event-driven orchestration platform. Versions prior to 1.3.7 contain a SQL Injection vulnerability in the 'GET /api/v1/main/flows/search' endpoint, which can lead to Remote Code Execution (RCE). Authenticated users can trigger this issue by visiting a crafted link. The vulnerability exploits PostgreSQL's COPY ... TO PROGRAM ... functionality to execute arbitrary OS commands on the host system.
Recommendations Update to version 1.3.7 or later.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-34612

Affected Products

Kestra