Security Advisory - Published 2026-06-27 - DevOps / Self-hosted
Self-hosted DevOps batch: check Budibase, OpenProject, Kestra, Dokku, ToolJet, Airflow, and 3X-UI
This batch targets self-hosted control planes and automation platforms. The common risk is not a single endpoint. It is exposed apps, weak default secrets, workflow runners, archive import, Docker images, admin panels, and automation credentials that sit close to production systems.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-54350 | Budibase | before 3.39.12 | workflow and admin logs | 10.0 |
| CVE-2026-53576 | Kestra | before 1.0.45 and 1.3.21 | workflow and admin logs | 10.0 |
| CVE-2026-46386 | OpenProject | vendor-fixed release | workflow and admin logs | 9.9 |
| CVE-2026-55413 | ToolJet | before 3.20.178-lts | workflow and admin logs | 9.4 |
| CVE-2026-45405 | Dokku | before 0.38.2 | workflow and admin logs | 9.0 |
| CVE-2026-45406 | Dokku | before 0.38.2 | workflow and admin logs | 9.0 |
| CVE-2026-45408 | Dokku | before 0.38.2 | workflow and admin logs | 9.0 |
| CVE-2026-54636 | Dokku | before 0.38.7 | workflow and admin logs | 9.0 |
| CVE-2026-55069 | Kestra | before 1.3.24 | workflow and admin logs | 8.7 |
| CVE-2026-52783 | OpenProject | before 17.3.3 and 17.4.1 | workflow and admin logs | 8.2 |
| CVE-2026-49486 | Apache Airflow FTP provider | vendor-fixed release | workflow and admin logs | 7.5 |
| CVE-2026-55477 | 3X-UI | before 3.3.1 | workflow and admin logs | 7.2 |
What to check
- Published Budibase apps, backing database exposure, app records, and guest access paths.
- OpenProject storage integrations, Docker image configuration, default secret state, OAuth tokens, and background jobs.
- Kestra REST API exposure, BasicAuth configuration, workflow namespaces, runner logs, and service accounts.
- Dokku app names, archive imports, OpenResty include files, cron definitions, and Git push activity.
- ToolJet workspace users, app editor actions, server-side code steps, and environment variables exposed to builders.
- Airflow FTP provider use where encrypted control channels were assumed to protect transferred data.
- 3X-UI admin access, database import activity, generated configs, and service restart history.
Safe fix path
- Move each product to the vendor-fixed release and restrict admin or API paths to trusted networks.
- Preserve workflow, container, reverse-proxy, and application logs before deleting jobs or rebuilding hosts.
- Rotate OAuth tokens, API keys, service credentials, and database passwords when exposure or default-secret risk is possible.
- Rebuild containers and redeploy from known-good config after patching; do not reuse suspicious generated files.
Compromise indicators
- New users, role changes, unexpected sessions, or unknown API tokens.
- Files changed during the exposure window, especially executable files or generated configs.
- Repeated application errors, database errors, queue failures, or unusual outbound requests.
- Plugin, container, service, or package versions that differ from the expected deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when the affected component is public, logs show suspicious activity, patching may break production, or cleanup requires file, database, user, token, or container review.