VYPR
Vendor

PrefectHQ

Products
1
CVEs
9
Across products
9
Status
Private

Products

1

Recent CVEs

9
  • CVE-2026-3515HigMay 24, 2026
    risk 0.48cvss 8.5epss 0.00

    A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command…

  • CVE-2026-3514HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication…

  • CVE-2024-8183HigMar 20, 2025
    risk 0.42cvss 7.6epss 0.00

    A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/prefect version 2.20.2 allows unauthorized domains to access sensitive data. This vulnerability can lead to unauthorized access to the database, resulting in potential data leaks, loss of confidentiality,…

  • CVE-2026-7723HigMay 4, 2026
    risk 0.40cvss 7.3epss 0.00

    A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been…

  • CVE-2026-7725MedMay 4, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in…

  • CVE-2026-7722MedMay 4, 2026
    risk 0.27cvss 5.3epss 0.00

    A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The…

  • CVE-2026-7724MedMay 4, 2026
    risk 0.26cvss 5.0epss 0.00

    A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack…

  • CVE-2026-5366Jun 20, 2026
    risk 0.00cvss epss 0.01

    Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to…

  • CVE-2023-6022Nov 16, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5.