Cyber Resilience

CVE-2026-55069

HighPublic PoC

Published: 26 June 2026

Published
26 June 2026
Modified
01 July 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0016 5.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55069 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Kestra Kestra. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation…

more

speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct offline password cracking via weak SHA-512 hash (T1110.002) from DB read access; enables vertical privilege escalation via recovered admin credentials and K8s secrets/tokens (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25861Shared CWE-916
CVE-2021-36767Shared CWE-916
CVE-2024-3183Shared CWE-916
CVE-2020-28873Shared CWE-916
CVE-2021-22774Shared CWE-916
CVE-2023-5846Shared CWE-916
CVE-2024-23091Shared CWE-916
CVE-2023-34433Shared CWE-916
CVE-2023-27580Shared CWE-916
CVE-2020-25754Shared CWE-916

Affected Assets

kestra
kestra
≤ 1.3.24

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-916

Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.

References