CVE-2026-49869 | kestra-io kestra up to 1.0.44/1.3.20 Public Configuration Endpoint request.getPath os command injection (GHSA-5vc5-wxxq-3fjx)

SecurityVulns

A vulnerability was found in kestra-io kestra up to 1.0.44/1.3.20. It has been rated as critical. Impacted is the function request.getPath of the component Public Configuration Endpoint. The manipulation leads to os command injection.

This vulnerability is listed as CVE-2026-49869. The attack may be initiated remotely. There is no available exploit.

Upgrading the affected component is advised.VulDB Recent EntriesRead More