{
  "variant_id": "kestra-cve-2026-49869-openurl-webhook-alttrigger",
  "created_at": "2026-07-05T05:57:00Z",
  "variant_summary": "Alternate unauthenticated RCE trigger on Kestra OSS v1.0.44 via the AuthenticationFilter isOpenUrl branch (startsWith on the production-default open-url /api/v1/main/executions/webhook/) + ExecutionController /webhook endpoint. The CREATE step reuses the /configs suffix bypass (isConfigEndpoint); the TRIGGER step uses a DIFFERENT whitelist branch (isOpenUrl, untouched by fix 28ff533d8) and a DIFFERENT endpoint (/webhook vs /trigger). The trigger path ends with the webhook key, not /configs, so it does not rely on the isConfigEndpoint bypass at the trigger layer. On the fixed v1.0.45 the /configs create-bypass is closed (401) so no RCE; the open webhook path remains open (404 not 401), confirming the fix did not touch the isOpenUrl branch (documented open trigger; defense-in-depth gap).",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "kestra-io/kestra",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "1.0.44",
    "ref": "kestra/kestra:v1.0.44",
    "display": "kestra/kestra:v1.0.44 (git tag v1.0.44 -> 3cf9c7f5cc29eea76d90d692603f811499948a9f)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "commit_sha": "9225d093663e47d8e4cb3ed3969c80f7575a8817",
    "version": "1.0.45",
    "ref": "kestra/kestra:v1.0.45",
    "display": "kestra/kestra:v1.0.45 (git tag v1.0.45 -> 9225d093663e47d8e4cb3ed3969c80f7575a8817; fix 28ff533d8 ancestor)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Unauthenticated HTTP GET to /api/v1/main/executions/webhook/configs/configs/<webhook-key> (open-url webhook trigger) after unauthenticated POST /api/v1/main/flows/configs to create a webhook-equipped flow via the /configs suffix bypass.",
  "attacker_controlled_input": "Unauthenticated HTTP: (1) POST /api/v1/main/flows/configs with YAML flow body (namespace=id=configs, Webhook trigger with attacker-chosen key, shell Commands task); (2) GET /api/v1/main/executions/webhook/configs/configs/<key> to trigger execution.",
  "trigger_path": "AuthenticationFilter.doFilter -> isConfigEndpoint bypass (endsWith /configs) for flow CREATE on vulnerable; AuthenticationFilter.doFilter -> isOpenUrl bypass (startsWith /api/v1/main/executions/webhook/) for flow TRIGGER on both vulnerable and fixed; ExecutionController.triggerExecutionByGetWebhook -> webhook() -> flow shell task runs in worker (RCE). isOpenUrl branch is not modified by fix 28ff533d8.",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "is_bypass": false,
  "bypass_blocked_by": "Fix 28ff533d8 closes the /configs suffix bypass for flow CREATION (POST /api/v1/main/flows/configs -> 401 on fixed); without an unauthenticated flow-create the open webhook has no flow to trigger (404, no RCE).",
  "claim_block_reason": null,
  "blocking_mitigation": "Fix 28ff533d8 (exact /configs match + normalizePath) blocks unauthenticated flow creation on v1.0.45+, breaking the alternate-trigger chain at the creation step.",
  "file_path": "webserver/src/main/java/io/kestra/webserver/filter/AuthenticationFilter.java",
  "line_start": 60,
  "line_end": 72,
  "secondary_anchors": [
    {
      "file_path": "webserver/src/main/java/io/kestra/webserver/controllers/api/ExecutionController.java",
      "line_start": 493,
      "line_end": 510
    },
    {
      "file_path": "cli/src/main/resources/application.yml",
      "line_start": 166,
      "line_end": 173
    },
    {
      "file_path": "core/src/main/java/io/kestra/plugin/core/trigger/Webhook.java",
      "line_start": 102,
      "line_end": 120
    }
  ],
  "review_scope_paths": [
    "webserver/src/main/java/io/kestra/webserver/filter/AuthenticationFilter.java",
    "webserver/src/main/java/io/kestra/webserver/controllers/api/ExecutionController.java",
    "cli/src/main/resources/application.yml",
    "core/src/main/java/io/kestra/plugin/core/trigger/Webhook.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "repro_log": "bundle/logs/variant_results_summary.txt",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
