UnratedPublic exploit

Unauthenticated RCE in Kestra REST API via /configs authentication bypass

IdentifiersCVE-2026-53576CWE-288

CVE-2026-53576 is a critical authentication-bypass vulnerability in Kestra, an open-source event-driven orchestration platform. In versions prior to 1.0.45 and 1.3.21, the REST API authentication filter for @Filter("/api/v1/**") incorrectly treats any request whose path ends with /configs as the public instance-config endpoint and forwards the request without enforcing Basic Authentication. Because Kestra resource routing uses caller-controlled URL path segments, an unauthenticated attacker can craft API paths whose final segment is the literal string "configs" to reach protected endpoints without credentials. The bypass can be used against flow-creation and execution-trigger routes, allowing an anonymous attacker to create a malicious flow containing a Shell or Process task and then execute it. The task runs as root inside the Kestra container. In deployments using the official docker-compose configuration, where /var/run/docker.sock is mounted into the container, this can be chained into access to the host Docker daemon and potential host compromise.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides unauthenticated remote code execution in the Kestra environment. An attacker can create and run arbitrary Shell or Process tasks as root inside the Kestra container, resulting in full compromise of the application runtime, arbitrary command execution, data access and modification, and service disruption. In default Docker-based deployments that expose /var/run/docker.sock to the container, root execution inside the container can be leveraged to control the host Docker daemon, enabling container escape in practice and full host-level compromise with corresponding confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the Kestra REST API so unauthenticated external users cannot reach /api/v1/* endpoints, place the service behind a trusted reverse proxy or access-control layer, and monitor for suspicious anonymous requests whose paths end in /configs. As a defense-in-depth measure, avoid mounting /var/run/docker.sock into the Kestra container unless strictly required, because that mount materially increases post-exploitation impact from container-level root to host-level compromise.

Remediation

Patch, then assume compromise.

Upgrade Kestra to a fixed release. The vulnerability is addressed in versions 1.0.45 and 1.3.21. Users should update to 1.0.45 or later on the 1.0 branch, or 1.3.21 or later on the 1.3 branch, and ensure all exposed Kestra instances are running a patched version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 26, 2026

CVE-2026-53576 - Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass

An unauthenticated remote code execution vulnerability in Kestra caused by an authentication filter bypass on API paths ending in /configs, allowing anonymous attackers to create and execute flows.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-53576

NVD

nvd.nist.gov/vuln/detail/CVE-2026-53576

MITRE CWE · CWE-288

cwe.mitre.org