🔴 严重 | CVE-2026-49869 — Kestra is an open-source, event-driven orchestrati...
🔴 CVE-2026-49869
CVSS 评分: 10.0(严重) | 状态: Received | 发布时间: 2026-06-26
漏洞描述
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
漏洞详情
| 字段 | 值 |
|---|---|
| CVE ID | CVE-2026-49869 |
| CVSS 评分 | 10.0(严重) |
| CVSS 向量 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-78,CWE-184,CWE-287,CWE-918 |
| 发布时间 | 2026-06-26 |
| 最后更新 | 2026-06-26 |
| 状态 | Received |
| 数据来源 | security-advisories@github.com |
参考链接
🤖 本文由 CVE 安全快讯机器人自动生成
数据来源: NVD (National Vulnerability Database) | 获取时间: 2026-06-27 09:06