Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a critical vulnerability in Kestra, an open-source platform for orchestrating workflows. The vulnerability allows unauthenticated access to sensitive API endpoints, potentially enabling an attacker to execute arbitrary code with root privileges within the Kestra container, and gain access to the host system's Docker daemon. This could lead to a complete compromise of the affected environment.
- Unauthenticated access to critical orchestration functions.
- Risks compromise of container and host systems.
- Confirm relevance and scope of Kestra deployments.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can bypass the Kestra REST API's authentication filter by crafting a specific request path. This bypass allows the attacker to create and trigger a flow that executes arbitrary code as root within the Kestra container. If the Docker socket is mounted from the host, this capability can extend to controlling the host's Docker daemon.
- Unauthenticated network access required.
- Request path bypasses authentication filter.
- Root container execution, potential host control.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated caller to create and run a flow with a shell or process task that executes as root inside the Kestra container. When supported by the advisory's deployment configuration, this could extend to the host Docker daemon, potentially leading to broader system compromise.
- Containerized Kestra processes.
- Unauthenticated API requests to `/configs`.
- Host system compromise via Docker daemon.
Operational Fix
Recommended remediation, mitigation, and detection steps
This critical vulnerability in Kestra's REST API authentication filter affects deployments where the API is exposed, potentially allowing unauthenticated attackers to execute arbitrary code as root on the host system by exploiting the `configs` endpoint. System owners and platform teams should prioritize identifying Kestra instances, assessing their exposure, and confirming business criticality. The immediate first step is to locate all Kestra deployments and determine their accessibility and operational importance, followed by a coordinated remediation plan based on the identified risk.
- Platform/App owners should address this.
- Verify API exposure and reachability first.
- Plan remediation based on risk and criticality.