[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-53576":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-27T16:38:37.313Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":306,"aliases":307,"duplicate_of":9,"upstream":308,"downstream":309,"duplicates":310,"related":311,"reserved_at":9,"published_at":312,"modified_at":312,"state":313,"summary":314,"references_raw":323,"kevs":329,"epss":330,"epss_history":333,"metrics":341,"affected":345},"CVE-2026-53576","Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter(\"/api/v1/**\")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresses its resources by URL path segments that the caller chooses (/api/v1/{tenant}/flows/{namespace}, /api/v1/{tenant}/executions/{namespace}/{id}, /api/v1/{tenant}/namespaces/{namespace}/kv/{key}). An anonymous caller picks the literal configs as the final segment, and the request bypasses Basic-Auth entirely. Because the bypass reaches the flow-create and execution-trigger routes, an unauthenticated caller creates a flow containing a Shell or Process task and runs it. The task executes as root inside the kestra container. The official docker-compose.yml mounts /var/run/docker.sock, so root in the container reaches the host Docker daemon. This vulnerability is fixed in 1.0.45 and 1.3.21.",null,[11,62],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],{"_key":63,"id":63,"name":64,"description":65,"type":15,"status":66,"abstraction":17,"likelihood_of_exploit":9,"capec":67},"CWE-288","Authentication Bypass Using an Alternate Path or Channel","The product requires authentication, but the product has an alternate path or channel that does not require authentication.","Incomplete",[68,129],{"id":69,"name":70,"techniques":71},"CAPEC-127","Directory Indexing",[72],{"id":73,"name":74,"tactics":75,"countermeasures":79},"T1083","File and Directory Discovery",[76],{"id":77,"name":78},"TA0102","Discovery",[80,85,89,94,99,104,109,113,117,121,125],{"id":81,"name":82,"tactic":83},"D3-FA","File Analysis",{"name":84},"Detect",{"id":86,"name":87,"tactic":88},"D3-FIM","File Integrity Monitoring",{"name":84},{"id":90,"name":91,"tactic":92},"D3-FEV","File Eviction",{"name":93},"Evict",{"id":95,"name":96,"tactic":97},"D3-DF","Decoy File",{"name":98},"Deceive",{"id":100,"name":101,"tactic":102},"D3-FE","File Encryption",{"name":103},"Harden",{"id":105,"name":106,"tactic":107},"D3-RF","Restore File",{"name":108},"Restore",{"id":110,"name":111,"tactic":112},"D3-LFP","Local File Permissions",{"name":57},{"id":114,"name":115,"tactic":116},"D3-CF","Content Filtering",{"name":57},{"id":118,"name":119,"tactic":120},"D3-RFAM","Remote File Access Mediation",{"name":57},{"id":122,"name":123,"tactic":124},"D3-CQ","Content Quarantine",{"name":57},{"id":126,"name":127,"tactic":128},"D3-CM","Content Modification",{"name":57},{"id":130,"name":131,"techniques":132},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[133,164,203],{"id":134,"name":135,"tactics":136,"countermeasures":139},"T1211","Exploitation for Stealth",[137,138],{"id":33,"name":34},{"id":36,"name":37},[140,144,148,152,156,160],{"id":141,"name":142,"tactic":143},"D3-MBT","Memory Boundary Tracking",{"name":84},{"id":145,"name":146,"tactic":147},"D3-PCSV","Process Code Segment Verification",{"name":84},{"id":149,"name":150,"tactic":151},"D3-SSC","Shadow Stack Comparisons",{"name":84},{"id":153,"name":154,"tactic":155},"D3-PSEP","Process Segment Execution Prevention",{"name":103},{"id":157,"name":158,"tactic":159},"D3-SAOR","Segment Address Offset Randomization",{"name":103},{"id":161,"name":162,"tactic":163},"D3-SFCV","Stack Frame Canary Validation",{"name":103},{"id":165,"name":166,"tactics":167,"countermeasures":173},"T1542.002","Component Firmware",[168,169,170],{"id":33,"name":34},{"id":36,"name":37},{"id":171,"name":172},"TA0110","Persistence",[174,179,183,187,191,195,199],{"id":175,"name":176,"tactic":177},"D3-SWI","Software Inventory",{"name":178},"Model",{"id":180,"name":181,"tactic":182},"D3-AVE","Asset Vulnerability Enumeration",{"name":178},{"id":184,"name":185,"tactic":186},"D3-FEMC","Firmware Embedded Monitoring Code",{"name":84},{"id":188,"name":189,"tactic":190},"D3-FV","Firmware Verification",{"name":84},{"id":192,"name":193,"tactic":194},"D3-FBA","Firmware Behavior Analysis",{"name":84},{"id":196,"name":197,"tactic":198},"D3-SU","Software Update",{"name":103},{"id":200,"name":201,"tactic":202},"D3-RS","Restore Software",{"name":108},{"id":204,"name":205,"tactics":206,"countermeasures":215},"T1556","Modify Authentication Process",[207,208,211,212],{"id":33,"name":34},{"id":209,"name":210},"TA0112","Defense Impairment",{"id":171,"name":172},{"id":213,"name":214},"TA0031","Credential Access",[216,220,224,228,230,232,236,240,244,248,250,254,258,262,266,268,270,272,276,278,280,282,284,286,290,294,298,302],{"id":217,"name":218,"tactic":219},"D3-CI","Configuration Inventory",{"name":178},{"id":221,"name":222,"tactic":223},"D3-NTPM","Network Traffic Policy Mapping",{"name":178},{"id":225,"name":226,"tactic":227},"D3-AM","Access Modeling",{"name":178},{"id":81,"name":82,"tactic":229},{"name":84},{"id":86,"name":87,"tactic":231},{"name":84},{"id":233,"name":234,"tactic":235},"D3-PLA","Process Lineage Analysis",{"name":84},{"id":237,"name":238,"tactic":239},"D3-PSMD","Process Self-Modification Detection",{"name":84},{"id":241,"name":242,"tactic":243},"D3-PSA","Process Spawn Analysis",{"name":84},{"id":245,"name":246,"tactic":247},"D3-SFA","System File Analysis",{"name":84},{"id":90,"name":91,"tactic":249},{"name":93},{"id":251,"name":252,"tactic":253},"D3-PT","Process Termination",{"name":93},{"id":255,"name":256,"tactic":257},"D3-PS","Process Suspension",{"name":93},{"id":259,"name":260,"tactic":261},"D3-HR","Host Reboot",{"name":93},{"id":263,"name":264,"tactic":265},"D3-HS","Host Shutdown",{"name":93},{"id":95,"name":96,"tactic":267},{"name":98},{"id":100,"name":101,"tactic":269},{"name":103},{"id":105,"name":106,"tactic":271},{"name":108},{"id":273,"name":274,"tactic":275},"D3-RC","Restore Configuration",{"name":108},{"id":114,"name":115,"tactic":277},{"name":57},{"id":110,"name":111,"tactic":279},{"name":57},{"id":118,"name":119,"tactic":281},{"name":57},{"id":122,"name":123,"tactic":283},{"name":57},{"id":126,"name":127,"tactic":285},{"name":57},{"id":287,"name":288,"tactic":289},"D3-KBPI","Kernel-based Process Isolation",{"name":57},{"id":291,"name":292,"tactic":293},"D3-SCF","System Call Filtering",{"name":57},{"id":295,"name":296,"tactic":297},"D3-HBPI","Hardware-based Process Isolation",{"name":57},{"id":299,"name":300,"tactic":301},"D3-ABPI","Application-based Process Isolation",{"name":57},{"id":303,"name":304,"tactic":305},"D3-WSAM","Web Session Access Mediation",{"name":57},[],[],[],[],[],[],"2026-06-26T20:54:08.282Z","PUBLISHED",{"cisa_kev":315,"cisa_ransomware":315,"cisa_vendor":9,"epss_severity":316,"epss_score":317,"severity":318,"severity_score":319,"severity_version":320,"severity_source":321,"severity_vector":322,"severity_status":313},false,"low",0.00333,"critical",10,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",[324],{"url":325,"sources":326,"tags":327},"https://github.com/kestra-io/kestra/security/advisories/GHSA-2q47-568g-9h4f",[321],[328],"X Refsource CONFIRM",[],{"date":331,"score":317,"percentile":332},"2026-06-14",0.56636,[334,337,340],{"date":335,"score":317,"percentile":336},"2026-06-12",0.56633,{"date":338,"score":317,"percentile":339},"2026-06-13",0.56647,{"date":331,"score":317,"percentile":332},[342],{"source":321,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":343,"cvss_v4_0":9},{"baseScore":319,"baseSeverity":344,"vectorString":322,"impactScore":319,"exploitabilityScore":319},"CRITICAL",[346],{"ecosystem":9,"name":347,"vendor":348,"product":347,"cpe_part":349,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":350},"kestra","kestra-io","a",[351,356],{"version":352,"is_range":353,"range_type":321,"version_start":9,"version_start_type":9,"version_end":354,"version_end_type":355,"fixed_in":9},"\u003C 1.0.45",true,"1.0.45","excluding",{"version":357,"is_range":353,"range_type":321,"version_start":358,"version_start_type":359,"version_end":360,"version_end_type":355,"fixed_in":9},">= 1.1.0, \u003C 1.3.21","1.1.0","including","1.3.21"]