A critical authentication bypass in Kestra allows unauthenticated remote attackers to execute arbitrary code as root within the worker container.

The AuthenticationFilter incorrectly uses a suffix match for path whitelisting. This allows any API path ending in /configs to bypass security controls, enabling unauthenticated attackers to trigger script execution plugins and execute commands as root.

With a CVSS score of 10.0, this vulnerability represents the highest level of risk. Successful exploitation grants an attacker full control over the Kestra orchestration platform and the underlying worker infrastructure. This can lead to complete server compromise, lateral movement within the network, and total loss of confidentiality, integrity, and availability.

Immediate Action: Upgrade Kestra instances to version 1.0.45, 1.3.21, or later immediately to resolve the path validation flaw.

Proactive Monitoring: Inspect Kestra execution logs for unauthorized workflow triggers or unexpected script executions, particularly those originating from unknown or unauthorized sources.

Compensating Controls: Restrict network access to the Kestra API and management interface using IP whitelisting or VPN-only access to minimize the attack surface.

Public Exploit Available: Unknown

This vulnerability allows for unauthenticated Remote Code Execution, which is the most dangerous class of security flaws. Organizations utilizing Kestra must treat this as an emergency patching event. Ensure that instances are not exposed to the public internet and apply the vendor-provided patches as soon as possible.