Kestra orchestration platforms are vulnerable to a critical SQL injection that enables authenticated attackers to execute arbitrary operating system commands on the host server.

The GET /api/v1/main/flows/search endpoint is susceptible to SQL injection. An authenticated attacker can use a crafted link to trigger a payload executed by the underlying PostgreSQL database to run arbitrary shell commands.

Successful exploitation results in Remote Code Execution (RCE) on the host system, leading to full server compromise and data exfiltration. With a CVSS score of 9.9, this vulnerability presents a near-maximum risk to any organization running the default docker-compose deployment of Kestra.

Immediate Action: Update the Kestra platform to version 1.3.7 or later to patch the vulnerable API endpoint and sanitize SQL inputs.

Proactive Monitoring: Audit database logs for unusual COPY ... TO PROGRAM statements and review application logs for suspicious activity on the /flows/search endpoint.

Compensating Controls: Implement a Web Application Firewall (WAF) with strict SQL injection protection rules to filter malicious parameters in API requests.

Public Exploit Available: false

Remote Code Execution via SQL injection is a highly critical threat vector. Organizations must prioritize the update to Kestra version 1.3.7 immediately to secure their orchestration workflows and the underlying host infrastructure.