kestra

v1.3.19 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Automation & Workflows

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

automation data-orchestration devops high-availability iac java

+6 more

low-code lowcode orchestration pipeline pipeline-as-code workflow

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

Kestra v1.3.19 patches path traversal in inputFiles filename resolution and adds InputStream/OutputStream methods to FileSerde. Routine release also stabilizes test execution.

Why it matters: Path traversal in inputFiles is patched. Update to 1.3.19 when planning routine upgrades; test in dev if using file input processing.

Summary

AI summary

Updates 🐛 Bug Fixes core, 🚀 Features core, and 📘 Subtasks version across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	add InputStream/OutputStream-based methods to FileSerde in core module add InputStream/OutputStream-based methods to FileSerde in core module Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	update to version '1.3.19' in version module update to version '1.3.19' in version module Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	replay to a different revision in execution module replay to a different revision in execution module Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	prevent path traversal in inputFiles filename resolution in core module prevent path traversal in inputFiles filename resolution in core module Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	fix flaky WorkerTest and liveness coordinator tests in tests module fix flaky WorkerTest and liveness coordinator tests in tests module Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Changelog

🚀 Features

core

b63fba1 add InputStream/OutputStream-based methods to FileSerde (#16110), closes #16110

📘 Subtasks

version

82cb2d9 update to version '1.3.19'

🐛 Bug Fixes

core

d549651 prevent path traversal in inputFiles filename resolution #16159, closes #16143 #16159

execution

d7d2c55 replay to a different revision, closes #15982 #16109

tests

53dc2c6 fix flaky WorkerTest and liveness coordinator tests

Contributors

We'd like to thank the following people for their contributions:
GitHub, Loïc Mathieu, Nicolas K., Roman Acevedo, github-actions[bot], nKwiatkowski

Security Fixes

Prevented path traversal vulnerability during inputFiles filename resolution in core

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kestra

Get notified when new releases ship.

About kestra

Event Driven Orchestration & Scheduling Platform for Mission Critical Applications

All releases →