CVE-2026-48129
MEDIUMKestra task inputFiles accepts traversal filenames for worker file writes
Title source: cnaDescription
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kestra-io/kestra/security/advisories/GHSA-q3fw-mvgv-pjr2
Scores
CVSS v3
6.5
EPSS
0.0031
EPSS Percentile
22.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
kestra-io/kestra
< 1.0.43
kestra-io/kestra
>= 1.1.0, < 1.1.19
kestra-io/kestra
>= 1.2.0, < 1.2.19
kestra-io/kestra
>= 1.3.0, < 1.3.19
Published
Jun 19, 2026
Tracked Since
Jun 20, 2026