CVE-2026-34612

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint “GET /api/v1/main/flows/search”. Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY … TO PROGRAM …, which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

More information : https://github.com/kestra-io/kestra/commit/3926762795df8ad3e03924b370c51832ed3a21d3