kestra

v1.2.19 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d Automation & Workflows

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

automation data-orchestration devops high-availability iac java

+6 more

low-code lowcode orchestration pipeline pipeline-as-code workflow

Affected surfaces

rce_ssrf

Summary

AI summary

Fixed storage parenTransversalGuard mishandling of encoded characters.

Changes in this release

Type	Severity	Summary	CVE
Bugfix	Medium	parenTransversalGuard now handles encoded characters parenTransversalGuard now handles encoded characters Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

Changelog

📘 Subtasks

version

8bc838b update to version '1.2.19'

🐛 Bug Fixes

5fd46fc replace GH_PERSONAL_TOKEN with GitHub App installation tokens (#16043), closes #16043

storage

421f6f7 parenTransversalGuard was not handling encoded characters

Contributors

We'd like to thank the following people for their contributions:
GitHub, Roman Acevedo, brian-mulier-p, github-actions[bot]

Security Fixes

dep: GH_PERSONAL_TOKEN replaced with GitHub App installation tokens (CI)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kestra

Get notified when new releases ship.

About kestra

Event Driven Orchestration & Scheduling Platform for Mission Critical Applications

All releases →