oM noM Security Feeds cve
vulnerability context

CVE-2026-53576

CVSS 10.0 CRITICALEPSS 37%CWE-94

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresses its resources by URL path segments that the caller chooses (/api/v1/{tenant}/flows/{namespace}, /api/v1/{tenant}/executions/{namespace}/{id}, /api/v1/{tenant}/namespaces/{namespace}/kv/{key}). An anonymous caller picks the literal configs as the final segment, and the request bypasses Basic-Aut...

Published 2026-06-26 · last modified 2026-07-01

details

CISA KEV status
Not in catalog
CVSS v3
10.0 / CRITICAL
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
37% percentile (score 0.0047)
CWE
CWE-94

source mentions 2

source consensus

  • Bluesky:@cyberhub.blog
  • Bluesky
Want the 3-bullet summary of CVE-2026-53576, plus webhook alerts when KEV is updated? Pro is $10/mo.