VYPR
High severity8.5NVD Advisory· Published May 24, 2026· Updated May 26, 2026

CVE-2026-3515

CVE-2026-3515

Description

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper sanitization, and then parsed by shlex.split(). This enables injection of options such as -c, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the aget_directory() and get_directory() methods in src/integrations/prefect-github/prefect_github/repository.py. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.