CVE-2026-55069
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
A vulnerability in the BasicAuth component of Kestra OSS before version 1.3.24 allows an attacker with read access to the PostgreSQL database to recover the administrator password offline due to SHA-512's high computation speed. In Kubernetes deployments, this enables privilege escalation to read the cluster ServiceAccount token and all K8s Secrets.
Risk Assessment
The risk includes administrator account takeover and, in Kubernetes deployments, full cluster compromise through access to secrets and authentication tokens.
Recommendation
Immediately upgrade Kestra to version 1.3.24 or later. Restrict access to the PostgreSQL database and consider using a stronger password hashing mechanism (e.g., bcrypt).
Original NVD description (English source)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

