CVE-2026-29082
📋 TL;DR
This vulnerability allows attackers to inject malicious HTML/JavaScript into Kestra's execution-file preview feature, leading to cross-site scripting (XSS) attacks. Users of Kestra versions 1.1.10 and earlier are affected when they view execution files containing malicious Markdown content. The vulnerability exists because user-supplied Markdown is rendered without proper HTML sanitization.
💻 Affected Systems
- Kestra
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Attackers with access to create or modify execution files could embed malicious scripts that execute when other users view those files, leading to session hijacking or credential theft.
If Mitigated
With proper input validation and output encoding, the risk is limited to benign Markdown rendering without script execution.
🎯 Exploit Status
Exploitation requires ability to create or modify execution files with malicious Markdown content, and victims must view those files through the vulnerable preview feature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j
Restart Required: Yes
Instructions:
No official patch available. Monitor Kestra releases for security updates and apply immediately when available.
🔧 Temporary Workarounds
Disable Markdown preview
allDisable or restrict access to the execution-file preview feature that renders Markdown files.
Implement input validation
allAdd server-side validation to sanitize or reject Markdown content containing script tags and dangerous HTML elements.
🧯 If You Can't Patch
- Restrict user permissions to create or modify execution files containing Markdown content
- Implement web application firewall (WAF) rules to detect and block XSS payloads in Markdown content
🔍 How to Verify
Check if Vulnerable:
Check if running Kestra version 1.1.10 or earlier and if execution-file preview feature is enabled.Check Version:
Check Kestra server logs or configuration files for version informationVerify Fix Applied:
When patch becomes available, verify version is updated beyond 1.1.10 and test that Markdown preview no longer executes JavaScript.📡 Detection & Monitoring
Log Indicators:
- Unusual Markdown content in execution files, especially containing script tags or JavaScript
Network Indicators:
- Unexpected outbound connections from user browsers after viewing execution files
SIEM Query:
Search for execution file access logs containing suspicious patterns like <script> tags or javascript: URIs