CVE-2026-38428 Overview
CVE-2026-38428 is a SQL Injection vulnerability affecting Kestra v1.3.3 and earlier versions. The flaw exists because user-controlled input from a GET parameter is directly concatenated into an SQL query without sanitization or parameterization. Attackers can inject arbitrary SQL expressions into the database query through a network-accessible endpoint.
The vulnerability requires no authentication and no user interaction. It maps to CWE-89: Improper Neutralization of Special Elements used in an SQL Command. Successful exploitation can compromise confidentiality, integrity, and availability of the underlying database.
Critical Impact
Unauthenticated remote attackers can read, modify, or delete database contents through crafted GET parameter values, leading to full data compromise of Kestra deployments.
Affected Products
- Kestra v1.3.3 and earlier versions
- Kestra orchestration platform deployments exposing the affected GET endpoint
- Self-hosted and containerized Kestra installations on the vulnerable releases
Discovery Timeline
- 2026-05-05 - CVE-2026-38428 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-38428
Vulnerability Analysis
The vulnerability resides in a Kestra HTTP handler that accepts a GET parameter and concatenates the value directly into an SQL statement. Because the application performs no input validation, escaping, or parameter binding, attacker-controlled characters terminate the original query context. The attacker can then append additional SQL clauses such as UNION SELECT, OR 1=1, or stacked statements depending on the database driver.
Kestra is a workflow orchestration platform that frequently stores execution metadata, secrets, and flow definitions in its backing database. SQL Injection at this layer exposes operational data and pipeline configuration. Attackers can also abuse database functions to read files, write files, or execute commands depending on the database engine privileges.
Root Cause
The root cause is the use of string concatenation to build SQL queries from untrusted input. The codebase fails to apply prepared statements or an ORM-level binding mechanism for the affected endpoint. This pattern violates secure coding guidance in [CWE-89] and ignores parameterization features available in modern Java database libraries used by Kestra.
Attack Vector
An unauthenticated attacker sends a crafted HTTP GET request containing SQL metacharacters in the vulnerable parameter. The request travels over the network, requires no privileges, and produces no user interaction prompt. The injected payload executes inside the database session used by Kestra. Refer to the Kestra GitHub Security Advisory GHSA-365w-2m69-mp9x for technical specifics.
Detection Methods for CVE-2026-38428
Indicators of Compromise
- HTTP GET requests to Kestra endpoints containing SQL syntax tokens such as UNION, SELECT, --, ;, ', or OR 1=1 in query parameters
- Database error messages or stack traces returned in HTTP responses from the Kestra application
- Unexpected outbound connections from the Kestra database host or anomalous read volume against execution and flow tables
- New or modified rows in Kestra authentication or secret storage tables outside of normal change windows
Detection Strategies
- Inspect web server and reverse proxy logs for GET parameters containing URL-encoded SQL metacharacters targeting Kestra routes
- Deploy Web Application Firewall rules with SQL Injection signatures in front of the Kestra UI and API
- Enable database query logging and alert on syntactically unusual queries originating from the Kestra service account
- Correlate Kestra application logs with database audit logs to identify injected payload execution
Monitoring Recommendations
- Monitor Kestra HTTP access logs for spikes in 500-class responses tied to specific GET parameters
- Track database CPU and row-read metrics for the Kestra schema to detect bulk extraction attempts
- Alert on Kestra service account queries that reference information_schema, pg_catalog, or system tables
How to Mitigate CVE-2026-38428
Immediate Actions Required
- Upgrade Kestra to a release later than v1.3.3 that contains the fix referenced in the GitHub Security Advisory GHSA-365w-2m69-mp9x
- Restrict network exposure of the Kestra UI and API to trusted administrative networks or VPN segments
- Review Kestra database audit logs for suspicious queries dating back to the deployment of v1.3.3 or earlier
- Rotate any credentials, API keys, or secrets stored in the Kestra database after patching
Patch Information
Apply the patched Kestra release identified in the vendor advisory. The fix replaces unsafe string concatenation with parameterized queries on the affected endpoint. Validate the running version with kestra --version after upgrade and confirm no v1.3.3 or earlier instances remain in the environment.
Workarounds
- Place a Web Application Firewall in front of Kestra and enable signatures that block SQL Injection patterns in GET parameters
- Restrict the Kestra database account to least privilege, removing file I/O and DDL permissions where possible
- Disable or firewall the affected GET endpoint at the reverse proxy layer until the upgrade is applied
# Example reverse proxy rule to block SQL metacharacters in Kestra GET parameters
# nginx snippet - adjust location to the affected route
location /api/v1/ {
if ($args ~* "(union|select|--|;|or\s+1=1|information_schema)") {
return 403;
}
proxy_pass http://kestra_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
