Kestra patches critical SQL injection RCE in flows search

2 min readPublished 03 Apr 2026Updated 03 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34612 News API Security DevOps Security

TL;DR — A critical SQL injection in Kestra’s flow search API can be escalated into host OS command execution (RCE) in common deployments, turning a logged-in session into full server compromise.

What happened

Kestra is an open-source, event-driven orchestration platform often deployed as a web service for building and running scheduled/triggered automation workflows.

CVE-2026-34612 describes a critical SQL injection in Kestra’s GET /api/v1/main/flows/search endpoint that can be escalated to remote code execution. Per the CVE record, exploitation requires an authenticated user; once authenticated, simply visiting a crafted link can trigger SQL injection, and the injected payload can be executed by PostgreSQL using COPY ... TO PROGRAM ..., resulting in arbitrary OS command execution on the host.

This is high-signal for platform teams because orchestration/control-plane services typically run with broad network reach and access to secrets; a SQLi-to-RCE chain in the control plane is a common path to rapid lateral movement.

Who is impacted

Kestra deployments running versions < 1.3.7.
Highest-risk environments are those using the default docker-compose deployment model described in the CVE record (where the database execution primitive can be reachable in practice).
Any environment exposing the Kestra UI/API to untrusted users or where authenticated users can be induced to click attacker-controlled links.

Component	Affected versions (per CVE record)	Fixed version referenced by source
`kestra`	`< 1.3.7`	`1.3.7`

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- "This issue has been patched in version 1.3.7."
Treat this as a control-plane compromise risk: identify all internet- or corp-wide reachable Kestra endpoints and ensure access is tightly scoped (SSO, network segmentation, and least-privilege RBAC) until patched everywhere.
Review application and database logs for suspicious requests targeting GET /api/v1/main/flows/search, especially around unexpected query structures and high-entropy filters[...] inputs.
If compromise is suspected, rotate credentials reachable from the Kestra process (database creds, cloud tokens, webhooks, runner secrets) and review workflow/task execution history for anomalous runs.

Additional Information

GitHub Security Advisory (upstream details and scoping): https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.