Unrated

Kestra BasicAuth SHA-512 Password Hashing Enables Offline Password Cracking

IdentifiersCVE-2026-55069CWE-916

CVE-2026-55069 affects the BasicAuth authentication component of the Kestra open-source workflow orchestration platform in versions prior to 1.3.24. The issue is that BasicAuth passwords are stored as SHA-512 hashes, which are too computationally fast for password storage and therefore unsuitable for resisting offline guessing attacks. If an attacker obtains read access to Kestra's PostgreSQL database, they can extract the stored password hashes and perform offline brute-force or dictionary attacks to recover administrator credentials. In Kubernetes deployments, recovery of an administrator password can be chained into further compromise of the environment, including access to the cluster ServiceAccount token and Kubernetes Secrets.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows offline recovery of Kestra administrator credentials from database-stored password hashes. This can lead to unauthorized administrative access to the Kestra platform. In Kubernetes deployments, the impact is more severe: an attacker who recovers the administrator password may be able to read the cluster ServiceAccount token and Kubernetes Secrets, resulting in vertical privilege escalation and broader compromise of the orchestration environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, minimize exposure by strictly limiting read access to the PostgreSQL database, enforcing strong unique administrator passwords to increase resistance to offline cracking, and monitoring for unauthorized database access. In Kubernetes environments, reduce the privileges available to Kestra-associated ServiceAccounts, limit secret access through RBAC, and review Secrets and ServiceAccount usage for signs of abuse. These measures reduce exploitability but do not fully remediate the underlying weakness.

Remediation

Patch, then assume compromise.

Upgrade Kestra to version 1.3.24 or later, where the vulnerability is fixed. After upgrading, rotate administrator credentials that may have been exposed to offline cracking. Restrict and audit access to the PostgreSQL database to reduce the likelihood of hash extraction. In Kubernetes deployments, review and rotate exposed ServiceAccount tokens and sensitive Kubernetes Secrets as appropriate, and assess whether privilege escalation or follow-on access occurred.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Jun 26, 2026

CVE-2026-55069 - Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

A vulnerability in Kestra BasicAuth where administrator passwords are stored as SHA-512 hashes, enabling offline brute-force recovery if an attacker obtains read access to the PostgreSQL database; in Kubernetes deployments this can lead to privilege escalation and access to secrets.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-55069

NVD

nvd.nist.gov/vuln/detail/CVE-2026-55069

MITRE CWE · CWE-916

cwe.mitre.org