Critical severity9.8NVD Advisory· Published May 5, 2026· Updated May 8, 2026

CVE-2026-38428

Description

Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query.

Affected products

Kestra/Kestrainferred2 versions
<=1.3.3+ 1 more
- (no CPE)range: <=1.3.3
- cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*range: <1.0.35

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9xnvdExploitMitigationVendor Advisory
www.link.comnvdNot Applicable

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000