Prefect Auth Bypass via endswith() Health Check Exemption

A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public...

CVE-2026-7725 PrefectHQ prefect GitRepository Pull storage.py argument injection

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commitsha/directories results in argument injection. It is...

CVE-2026-7725

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commitsha/directories results in argument injection. It is...

CVE-2026-7724

CVE-2026-7724 issue in PrefectHQ Prefect up to version 3.6.28.dev1 affects the Webhook/Notification component, specifically the function validate_restricted_url, causing a time‑of‑check vs time‑of‑use (TOCTOU) vulnerability. The flaw enables a remote attack with high complexity, and the exploitat...

CVE-2026-7723 PrefectHQ prefect WebSocket Endpoint in missing authentication

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be...

CVE-2026-7723 PrefectHQ prefect WebSocket Endpoint in missing authentication

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be...

EUVD-2026-26877

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be...

CVE-2026-7723

Technical details about CVE-2026-7723 are not publicly available in the provided documents. Monitor for official updates and patches; upgrading to 3.6.14 is mentioned in the description as a fix.

EUVD-2026-26875

A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public...

PT-2026-36753

Name of the Vulnerable Software and Affected Versions PrefectHQ prefect versions prior to 3.6.14 Description A flaw in the WebSocket Endpoint component allows a remote attacker to perform a manipulation that leads to missing authentication. The issue is located within the '/api/events/in' endpoin...

PT-2026-36752

Name of the Vulnerable Software and Affected Versions PrefectHQ prefect versions prior to 3.6.22 Description Improper authentication in the Health Check API allows a remote attacker to perform a manipulation. This issue specifically impacts the endswith function within the '/api/health' endpoint...

CVE-2025-69196

creationtimestamp| type| source ---|---|--- 2026-03-15 18:01:33+00:00| published-proof-of-concept| https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-5h2m-4q8j-pqpj...

EUVD-2023-2878

Malicious code in bioql PyPI...

CVE-2024-8183 CORS Misconfiguration in prefecthq/prefect

A CORS Cross-Origin Resource Sharing misconfiguration in prefecthq/prefect version 2.20.2 allows unauthorized domains to access sensitive data. This vulnerability can lead to unauthorized access to the database, resulting in potential data leaks, loss of confidentiality, service disruption, and...

CVE-2023-6022

Cross-Site Request Forgery CSRF in GitHub repository prefecthq/prefect prior to 2.16.5...

CVE-2023-6022 Cross-Site Request Forgery (CSRF) in prefecthq/prefect

Cross-Site Request Forgery CSRF in GitHub repository prefecthq/prefect prior to 2.16.5...