Prefecthq Prefect vulnerabilities
5 known vulnerabilities affecting prefecthq/prefecthq_prefect.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4
Vulnerabilities
Page 1 of 1
CVE-2026-5366P2CRITICALCVSS 9.9≥ unspecified, ≤ latest2026-06-20
CVE-2026-5366 [CRITICAL] CWE-94 CVE-2026-5366: Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-contr
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary gi
nvd
CVE-2026-3515P3HIGHCVSS 8.5≥ unspecified, ≤ latest2026-05-24
CVE-2026-3515 [HIGH] CWE-88 CVE-2026-3515: A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect versi
A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enab
cvelistv5ghsanvd
CVE-2026-3514P3HIGHCVSS 7.5≥ unspecified, < 3.6.222026-06-02
CVE-2026-3514 [HIGH] CWE-863 CVE-2026-3514: In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the imp
In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'h
nvd
CVE-2023-6022P3HIGHCVSS 8.8≥ unspecified, < 2.16.52023-11-16
CVE-2023-6022 [HIGH] CWE-352 CVE-2023-6022: Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.
ghsanvdosv
CVE-2024-8183P3HIGHCVSS 7.6≥ unspecified, < 3.0.32025-03-20
CVE-2024-8183 [HIGH] CWE-346 CVE-2024-8183: A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/prefect version 2.20.2 allows u
A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/prefect version 2.20.2 allows unauthorized domains to access sensitive data. This vulnerability can lead to unauthorized access to the database, resulting in potential data leaks, loss of confidentiality, service disruption, and data integrity risks.
ghsanvdosv