kestra

v1.0.43 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Automation & Workflows

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

automation data-orchestration devops high-availability iac java

+6 more

low-code lowcode orchestration pipeline pipeline-as-code workflow

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13d

Kestra v1.0.43 fixes a path traversal vulnerability in inputFiles filename resolution, adds InputStream/OutputStream serialization support, and resolves replay and test stability issues.

Why it matters: Path traversal in inputFiles filename resolution is fixed in v1.0.43. Deployments should upgrade immediately; includes related feature and reliability improvements.

Summary

AI summary

Updates 🐛 Bug Fixes core, 🚀 Features core, and 📘 Subtasks version across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	prevent path traversal in inputFiles filename resolution prevent path traversal in inputFiles filename resolution Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	add InputStream/OutputStream-based methods to FileSerde add InputStream/OutputStream-based methods to FileSerde Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	fix replay to different revision functionality fix replay to different revision functionality Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fix flaky WorkerTest and liveness coordinator tests fix flaky WorkerTest and liveness coordinator tests Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Changelog

🚀 Features

core

b10dcc1 add InputStream/OutputStream-based methods to FileSerde (#16110) (#16176), closes #16110 #16176

📘 Subtasks

version

27c0064 update to version '1.0.43'

🐛 Bug Fixes

core

0f7c840 prevent path traversal in inputFiles filename resolution

execution

f7f85e2 replay to a different revision, closes #15982 #16109

tests

bb50062 fix flaky WorkerTest and liveness coordinator tests

Contributors

We'd like to thank the following people for their contributions:
GitHub, Loïc Mathieu, Nicolas K., Roman Acevedo, github-actions[bot], nKwiatkowski

Security Fixes

Prevent path traversal in inputFiles filename resolution (core)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kestra

Get notified when new releases ship.

About kestra

Event Driven Orchestration & Scheduling Platform for Mission Critical Applications

All releases →