CVE-2026-53577
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/06/2026
Last modified:
01/07/2026
Description
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:* | 1.0.45 (excluding) | |
| cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:* | 1.1.0 (including) | 1.3.21 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



