cbcvebase.
CVE-2026-3515
published 2026-05-24

CVE-2026-3515: A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git…

PriorityP359high8.5CVSS 3.0
AVNACLPRLUINSCCHILAN
EPSS
0.30%
21.4th percentile
A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.

Affected

2 ranges
VendorProductVersion rangeFixed in
prefecthqprefecthq_prefect0 – 3.6.18
prefecthqprefecthq_prefectunspecified – latest

CVSS provenance

nvdv3.08.5HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
cvelistv5v3.08.5HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.