kestra

v1.3.21 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1d Automation & Workflows

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

automation data-orchestration devops high-availability iac java

+6 more

low-code lowcode orchestration pipeline pipeline-as-code workflow

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 1d

The release patches several security vulnerabilities: it blocks backslash path traversal in LocalStorage (GHSA-qw4v-6w32-xx9h), fixes a potential authentication bypass, and resolves path‑traversal issues in namespace files.

Why it matters: Security fixes address GHSA-qw4v-6w32-xx9h, an authentication bypass, and namespace file traversal; severity scores exceed 80. Operators should apply the update promptly to protect data integrity and access control.

Summary

AI summary

Updates 🐛 Bug Fixes auth, 📘 Subtasks deps, and GHSA-qw4v-6w32-xx9h across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Rejects backslash path traversal in LocalStorage (GHSA-qw4v-6w32-xx9h). Rejects backslash path traversal in LocalStorage (GHSA-qw4v-6w32-xx9h). Source: llm_adapter@2026-06-02 Confidence: high	—
Security	Critical	Fixes potential authentication bypass in the authentication filter. Fixes potential authentication bypass in the authentication filter. Source: llm_adapter@2026-06-02 Confidence: high	—
Security	High	Fixes potential path traversal issues in namespace files. Fixes potential path traversal issues in namespace files. Source: llm_adapter@2026-06-02 Confidence: high	—
Dependency	Low	Upgrades Pebble to version 4.1.2. Upgrades Pebble to version 4.1.2. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix
Bugfix	Medium	Marks taskrun attempt when calling markAs in execution flowable. Marks taskrun attempt when calling markAs in execution flowable. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Updates taskrun parent attempt when killing an execution flowable. Updates taskrun parent attempt when killing an execution flowable. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Handles purged output files in scheduler component. Handles purged output files in scheduler component. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Restores missing MDC fields in logging. Restores missing MDC fields in logging. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Drops global SLF4J MDC piggy‑back. Drops global SLF4J MDC piggy‑back. Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Ensures preview checks for validation response errors. Ensures preview checks for validation response errors. Source: llm_adapter@2026-06-02 Confidence: high	—

Full changelog

Changelog

📘 Subtasks

deps

3d13aa7 Upgrade Pebble to 4.1.2, closes #15048 #16407

version

2541c53 update to version '1.3.21'

🐛 Bug Fixes

auth

2475839 potential authentication bypass in the authentication filter

core

ac101e2 remove properties that are not available in 1.3
b5d75ff failing tests
66c239f add missing @Valid annotation

execution

5aabaf7 clean all ancestor states in loop untils, closes #14811
368dd43 markAs should also mark the taskrun attempt, closes #15622
0004059 update taskrun parent attempt when killing an execution flowable, closes #14870
7cd7275 potential path traversal issues in namespace files
92ad7b6 preview was not checking if any validation response error happended

executions

818df5c handle purged output files (backport #16480) (#16486), closes #16480 #16486

flow

2125def Use the tenant from the URL when updating a concurrency limit

flows

a2f1843 register pebble filter autocompletion in YAML flow editor (#16296) (#16301), closes #16296 #16301

logs

f1b0d2e drop global SLF4J MDC piggy-back
8d08946 restore MDC fields

scheduler

86a4f46 restrict JdbcCleaner to executor component to prevent deadlocks (#16380), closes #16380

storage

c0a7e27 reject backslash path traversal in LocalStorage (GHSA-qw4v-6w32-xx9h)

tasks

482fdcf honor explicit taskRunner over deprecated runner PluginDefault (#16274), closes #16274

Contributors

We'd like to thank the following people for their contributions:
GitHub, Loïc Mathieu, Nicolas K., Roman Acevedo, Rémi Barthe, brian-mulier-p, github-actions[bot], nKwiatkowski

Security Fixes

GHSA-qw4v-6w32-xx9h – LocalStorage now rejects backslash path traversal
Auth filter fixes a potential authentication bypass vulnerability

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kestra

Get notified when new releases ship.

About kestra

Event Driven Orchestration & Scheduling Platform for Mission Critical Applications

All releases →