CVE-2026-53577
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
In Kestra prior to versions 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation.
Risk Assessment
The risk involves unauthorized access to sensitive output data from other executions, potentially leading to leakage of business or configuration information within a single tenant.
Recommendation
Immediately upgrade Kestra to version 1.0.45 or 1.3.21, which include the fix for this vulnerability.
Original NVD description (English source)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.

