Cyber Resilience

CVE-2026-34612

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0066 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34612 is a critical-severity SQL Injection (CWE-89) vulnerability in Kestra Kestra. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34612 is a SQL injection vulnerability in Kestra, an open-source event-driven orchestration platform, affecting versions prior to 1.3.7 in the default Docker Compose deployment. The flaw resides in the GET /api/v1/main/flows/search endpoint, where unsanitized input allows attackers to inject malicious SQL payloads. This injection leverages PostgreSQL's COPY ... TO PROGRAM ... command, enabling remote code execution (RCE) by executing arbitrary OS commands on the host system. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-89.

An authenticated user with low privileges can exploit this vulnerability simply by visiting a crafted URL targeting the search endpoint, requiring no additional interaction. Successful exploitation grants attackers full RCE on the underlying host, potentially allowing complete compromise of the orchestration platform and any connected systems or data workflows.

Kestra addressed this issue in version 1.3.7, as detailed in the project's security advisory (GHSA-365w-2m69-mp9x), release notes, and the patching commit. Security practitioners should upgrade to 1.3.7 or later and review deployments for exposure of the affected endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting…

more

a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

SQL injection in remote web API endpoint (/api/v1/main/flows/search) enables low-privileged authenticated attackers to achieve RCE via PostgreSQL COPY TO PROGRAM, directly facilitating exploitation of remote services (T1210) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29082Same product: Kestra Kestra
CVE-2026-33664Same product: Kestra Kestra
CVE-2026-21708Shared CWE-89
CVE-2025-59213Shared CWE-89
CVE-2025-22976Shared CWE-89
CVE-2025-53727Shared CWE-89
CVE-2026-33288Shared CWE-89
CVE-2026-26116Shared CWE-89
CVE-2025-49759Shared CWE-89
CVE-2025-61943Shared CWE-89

Affected Assets

kestra
kestra
≤ 1.3.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection attacks by validating and sanitizing user inputs to the vulnerable /api/v1/main/flows/search endpoint.

prevent

Ensures timely patching of the specific SQL injection flaw as fixed in Kestra version 1.3.7.

detect

Vulnerability scanning identifies SQL injection vulnerabilities like this one in the application prior to exploitation.

References