A vulnerability was found in kestra-io kestra up to 1.0.44/1.3.22 and classified as critical . This affects an unknown function of the file /api/v1 of the component Local internal-storage Backend . The manipulation results in path traversal. This vulnerability was named CVE-2026-49984 . The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.