CVE-2026-48129

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L                                    

Vulnerability Description

Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.

Vulnerability Details

Published Date

June 19, 2026

Last Modified

June 19, 2026

CWE ID

CWE-22

Source

NVD

Vendor

kestra-io

Product

kestra

External References

https://github.com/kestra-io/kestra/security/advisories/GHSA-q3fw-mvgv-pjr2

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment