Kestra Orchestration Platform CVE-2026-34612 (CVSS 9.9) Enables Unauthenticated RCE

CVE-2026-34612 is a critical remote code execution vulnerability (CVSS 9.9) in Kestra, an open-source event-driven orchestration and scheduling platform. The vulnerability exists in the default Docker Compose deployment configuration used by Kestra prior to version 1.3.7, which exposes the platform to unauthenticated remote code execution. Attackers can exploit this flaw to execute arbitrary code on the server, potentially gaining access to all workflows, secrets, and connected systems managed by the Kestra instance. Orchestration platforms like Kestra are high-value targets because they typically have broad access to organizational infrastructure, credentials, and data pipelines. This vulnerability was published to the NVD on April 4, 2026. Organizations using Kestra should immediately update to version 1.3.7 or later, review their deployment configurations to ensure they do not use insecure defaults, implement network-level access controls to restrict who can reach the Kestra interface, and audit existing deployments for signs of unauthorized access or workflow modification. The broad access that orchestration platforms have to organizational systems makes this a particularly dangerous vulnerability.