← Back
CVE-2026-38428
critical
CVSS 9.8
SQL Injection in sqli (CVE-2026-38428)
Summary
SQL injection in sqli (CVE-2026-38428). Successful exploitation can lead to full system takeover. Exploitable via `GET /api/v1/main/flows/search`.
AI summary openai / gpt-4o
Old versions of Kestra have a vulnerability that allows attackers to manipulate data through the internet. This is due to improper handling of web inputs being sent to the database, creating risks of information leaks or tampering. Similar to previous incidents like Heartbleed, this is highly dangerous. Update your systems promptly.
Kestra versions up to v1.3.3 have a SQL Injection vulnerability. This issue occurs as user inputs into `GET /api/v1/main/flows/search` are concatenated directly into SQL queries without sanitization or parameterization. Attackers can manipulate `filters[labels][EQUALS][<key>]` and `value` parameters to inject SQL, including executing RCE via PostgreSQL `COPY ... TO PROGRAM`. Mitigation involves either introducing parameter binding or updating the affected version.
❓ What is the problem
SQL Injection vulnerability in Kestra versions up to v1.3.3.
📍 Affected scope
`GET /api/v1/main/flows/search` endpoint using `filters[labels][EQUALS][<key>]` and `value` parameters.
🔥 Severity
The vulnerability is critical with a CVSS score of 9.8, indicating it can be exploited remotely, without authentication, and no user interaction is needed.
🔧 How to fix
Introduce parameter binding for SQL queries or update to a fixed version when released.
🛡️ Workaround
No specific workaround was detailed in the provided information.
🔍 Detection
Monitor log files for unusual SQL commands, specifically around the `filters[labels][EQUALS][<key>]` parameters.
Related past incidents Similar incidents extracted from past CVEs
Similar SQL injection vulnerability in other database-handling applications.
Exploitation of input handling flaws in web applications.
Known vulnerability due to improper input handling leading to data exposure.
If this happens at your company Expected impact per business scenario
📌 For an e-commerce site using Kestra
An attacker could exploit this vulnerability to manipulate product catalog or pricing information, leading to incorrect billing or price exposure.
📌 For an internal financial system
Data integrity could be compromised, leading to incorrect financial reporting and potential legal implications.
📌 For a SaaS platform provider
Customer data could be leaked or altered, leading to loss of trust and potential GDPR violations.
Recommended action
Organizations should prioritize patching this vulnerability by applying updates or implementing mitigations. Regular security audits to check for similar flaws should also be conducted.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'sqli' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `sqli` を grep し、稼働しているサービス・バージョンを把握する。
-
3Hunt for indicators of compromise detect
grep 'GET /api/v1/main/flows/search' /var/log/nginx/access.log | grep -E '(unusual_payload|sqli_pattern)'アクセスログで `GET /api/v1/main/flows/search` への異常なリクエスト (不正な認証ヘッダ・SQLメタ文字)を過去 30〜90日分捜索。WAF/SIEM があれば該当パスのアラート発火履歴を確認。
-
7Post-deployment verification verify
Replay attack against GET /api/v1/main/flows/search on staging to confirm patch closes the vectorパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。