CVE Catalog

CVE-2026-53577

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

In Kestra prior to versions 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation.

Risk Assessment

The risk involves unauthorized access to sensitive output data from other executions, potentially leading to leakage of business or configuration information within a single tenant.

Recommendation

Immediately upgrade Kestra to version 1.0.45 or 1.3.21, which include the fix for this vulnerability.

Original NVD description (English source)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS