A critical authentication bypass in Kestra allows unauthenticated attackers to achieve root-level code execution, leading to full host compromise via the Docker daemon.

The REST API authentication filter incorrectly processes paths ending in "/configs," allowing an unauthenticated caller to bypass Basic-Auth. This enables the caller to trigger unauthorized flows that execute tasks as root within the container, which can subsequently escape to the host via the mounted Docker socket.

The CVSS score of 10.0 highlights the extreme severity of this flaw. By bypassing authentication, an attacker gains full control over the orchestration platform and the underlying host server, resulting in complete loss of confidentiality, integrity, and availability of all managed infrastructure.

Immediate Action: Upgrade to Kestra version 1.0.45 or 1.3.21 immediately to fix the authentication logic flaw.

Proactive Monitoring: Audit logs for unauthorized API access attempts and monitor for unexpected execution of Shell or Process tasks within Kestra containers.

Compensating Controls: Restrict network access to the Kestra API via firewall rules and ensure the Docker socket is not exposed to the container unless strictly necessary.

Public Exploit Available: Unknown

This is a critical vulnerability that provides a direct path to host-level compromise. Organizations using Kestra must prioritize the immediate application of the security update to prevent unauthenticated attackers from gaining root access to their orchestration environment and host servers.