CVE-2026-29082 is a cross-site scripting (XSS) vulnerability identified in the Kestra event-driven orchestration platform, affecting versions up to and including 1.1.10. Kestra’s execution-file preview feature allows users to upload and preview Markdown (.md) files. Internally, Kestra uses the markdown-it library instantiated with the option html:true, which permits raw HTML tags within Markdown content. The rendered HTML is then injected into the web interface using Vue.js’s v-html directive without any sanitization or output encoding. This combination leads to improper neutralization of user input (CWE-79), enabling an attacker with at least low privileges to craft malicious Markdown files containing embedded JavaScript. When these files are previewed, the malicious script executes in the context of the victim’s browser session. The vulnerability has a CVSS 3.1 base score of 7.3, indicating high severity, with the vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. This means the attack is network-based, requires low privileges and user interaction, affects confidentiality and integrity severely, but does not impact availability. At the time of publication, no patches or official fixes are available, increasing the urgency for defensive measures. Although no exploits have been observed in the wild yet, the vulnerability poses a significant risk to organizations relying on Kestra for orchestration workflows, especially where sensitive data or administrative functions are involved.

The primary impact of this vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of the Kestra web application. This can lead to theft of sensitive information such as authentication tokens, session cookies, or other confidential data accessible via the browser. It can also enable unauthorized actions on behalf of the victim user, including modifying orchestration workflows or injecting malicious payloads into the system. Given Kestra’s role in event-driven orchestration, compromise could disrupt automated processes or lead to further lateral movement within an organization’s infrastructure. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing risk. Organizations worldwide using Kestra, especially in sectors like cloud services, DevOps, and automation-heavy industries, face confidentiality and integrity risks. The absence of patches means the vulnerability could be exploited once publicly disclosed or weaponized, potentially leading to data breaches or operational disruptions.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict access to the Kestra execution-file preview feature to trusted users only, minimizing exposure to untrusted input. 2) Implement network-level controls such as web application firewalls (WAFs) with custom rules to detect and block suspicious Markdown content or script injection attempts targeting Kestra interfaces. 3) Educate users about the risks of previewing untrusted Markdown files and enforce policies to avoid uploading files from unknown sources. 4) If possible, disable or limit the use of the Markdown preview feature temporarily. 5) Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 6) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 7) Prepare to apply patches promptly once they become available and test updates in a controlled environment before deployment. 8) Consider isolating Kestra instances in segmented network zones to limit potential lateral movement in case of compromise.