CVE-2026-49869 CRITICAL

CVE-2026-49869: Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

Vendor Kestra-Io

Product kestra

Weakness CWE-78

Published June 26, 2026

Last update June 29, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.

Key dates

02Disclosure timeline

June 26, 2026 CVE published

June 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-49869

Related vulnerabilities

Identifiers

CVE CVE-2026-49869

CWE CWE-78

CVSS 10.0 / CRITICAL

Affected versions

Vendor Kestra-Io

Product kestra

Affected < 1.0.45

Vendor Kestra-Io

Product kestra

Affected >= 1.1.0, < 1.3.21

CVE-2026-49869: Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

01Description

02Disclosure timeline

03References

04Related CVE