Kestra SQLi to RCE (CVE-2026-34612)

Overview

A critical SQL injection vulnerability in the Kestra open-source orchestration platform can be chained to achieve full remote code execution. Tracked as CVE-2026-34612, this flaw exists in the default Docker Compose deployment of versions prior to 1.3.7. An authenticated attacker can exploit it simply by having a victim user visit a maliciously crafted link.

Vulnerability Details

The vulnerability is located in the GET /api/v1/main/flows/search API endpoint. Insufficient input validation allows an attacker to inject malicious SQL commands. The Kestra application uses a PostgreSQL database, and the injected payload is designed to be executed via the PostgreSQL COPY ... TO PROGRAM ... command. This database feature allows reading from or writing to an external program, effectively enabling the SQL injection to break out of the database and execute arbitrary operating system commands on the underlying host server.

Impact and Severity

This vulnerability has a critical CVSS score of 9.9. The impact is severe because it allows an attacker with low-privilege user credentials to gain complete control of the host server running Kestra. Successful exploitation could lead to data theft, deployment of ransomware, or the compromise of other systems on the network. The attack requires no user interaction beyond visiting a link, making it highly reliable for an attacker once initial access is obtained.

Remediation and Mitigation

The primary and immediate action is to upgrade Kestra to version 1.3.7 or later, which contains the patch for this vulnerability. If an immediate upgrade is not possible, consider the following temporary mitigation steps:

• Restrict network access to the Kestra instance to only trusted users and networks.
• Review and minimize user accounts with access to the Kestra UI, adhering to the principle of least privilege.
• Isolate the Kestra server from other critical infrastructure using network segmentation.

Organizations should also review their systems for any signs of compromise. For context on how such vulnerabilities can lead to major incidents, recent data breach reports are available at breach reports.

Security Insight

This vulnerability exemplifies the dangerous evolution of SQL injection from a data confidentiality issue to a direct vector for system takeover, especially in applications that leverage powerful database features like PostgreSQL’s PROGRAM command. It mirrors the risk profile seen in past incidents like the 2017 Equifax breach, where a Struts vulnerability led to massive data exfiltration, underscoring that foundational web flaws in orchestration or management platforms carry an outsized risk due to the high level of system access they possess.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs