{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP POST to /api/v1/main/flows/configs and /api/v1/main/executions/trigger/configs/configs (paths ending in /configs) against the real Kestra webserver",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "kestra-standalone",
    "h2-inmemory",
    "micronaut",
    "plugin-script-shell",
    "process-task-runner"
  ],
  "proof_artifacts": [
    "logs/results_summary.txt",
    "logs/vuln_create_flow_resp.txt",
    "logs/vuln_trigger_resp.txt",
    "logs/vuln_marker.txt",
    "logs/vuln_container.log",
    "logs/fixed_bypass_resp.txt",
    "logs/fixed_create_flow_resp.txt",
    "logs/fixed_trigger_resp.txt",
    "logs/fixed_marker.txt",
    "logs/fixed_container.log",
    "repro/malicious_flow.yaml"
  ],
  "rce_observed": true,
  "fixed_blocks_bypass": true,
  "marker_token": "PWNED_KESTRA_RCE_1783230520_7605",
  "notes": "Unauthenticated RCE confirmed on v1.0.44: created and triggered a shell flow via /configs-suffix path bypass; an OS command wrote a marker file as the kestra service user. Fixed v1.0.45 returns 401 for all bypass attempts and executes nothing."
}
