CVE-2026-34612

CriticalPublic PoC

Published: 03 April 2026

Published

03 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0019 40.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting…

a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks by validating and sanitizing user inputs to the vulnerable /api/v1/main/flows/search endpoint.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the specific SQL injection flaw as fixed in Kestra version 1.3.7.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies SQL injection vulnerabilities like this one in the application prior to exploitation.

Security SummaryAI

CVE-2026-34612 is a SQL injection vulnerability in Kestra, an open-source event-driven orchestration platform, affecting versions prior to 1.3.7 in the default Docker Compose deployment. The flaw resides in the GET /api/v1/main/flows/search endpoint, where unsanitized input allows attackers to inject malicious SQL payloads. This injection leverages PostgreSQL's COPY ... TO PROGRAM ... command, enabling remote code execution (RCE) by executing arbitrary OS commands on the host system. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-89.

An authenticated user with low privileges can exploit this vulnerability simply by visiting a crafted URL targeting the search endpoint, requiring no additional interaction. Successful exploitation grants attackers full RCE on the underlying host, potentially allowing complete compromise of the orchestration platform and any connected systems or data workflows.

Kestra addressed this issue in version 1.3.7, as detailed in the project's security advisory (GHSA-365w-2m69-mp9x), release notes, and the patching commit. Security practitioners should upgrade to 1.3.7 or later and review deployments for exposure of the affected endpoint.

Details

CWE(s): CWE-89

Affected Products

kestra

≤ 1.3.7

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

SQL injection in remote web API endpoint (/api/v1/main/flows/search) enables low-privileged authenticated attackers to achieve RCE via PostgreSQL COPY TO PROGRAM, directly facilitating exploitation of remote services (T1210) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/kestra-io/kestra/commit/3926762795df8ad3e03924b370c51832ed3a21d3
Patch · security-advisories@github.com
https://github.com/kestra-io/kestra/releases/tag/v1.3.7
Product, Release Notes · security-advisories@github.com
https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0