CVE-2026-45807

Summary: Kestra prior to versions 1.0.43 and 1.3.19 is affected by a path-traversal vulnerability. Several API endpoints accept a kestra:// URI and pass it through StorageInterface.parentTraversalGuard, which only inspects the literal URI.toString(). An URL-encoded .. ("%2E%2E") can slip through,...