Skip to main content

Prefect CVE-2026-3514

| EUVDEUVD-2026-33884 HIGH
Incorrect Authorization (CWE-863)
2026-06-02 @huntr_ai GHSA-c635-393c-hcx2
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 10:01 EUVD
Source Code Evidence Fetched
Jun 02, 2026 - 08:45 vuln.today
Analysis Generated
Jun 02, 2026 - 08:45 vuln.today

DescriptionCVE.org

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.

AnalysisAI

Authentication bypass in prefecthq/prefect 3.6.19 allows remote unauthenticated attackers to access sensitive API endpoints by naming resources with paths ending in 'health' or 'ready', exploiting overly broad suffix-matching in the auth middleware exemption logic. Confirmed exploitable per the huntr.com bounty disclosure and validated by the upstream patch which replaces suffix matching with exact path comparison. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided in the available data.

Technical ContextAI

Prefect is an open-source Python workflow orchestration platform whose server component (src/prefect/server/api/server.py) ships a Starlette/FastAPI authentication middleware. The middleware intentionally exempts Kubernetes-style liveness and readiness probes from auth checks, but in 3.6.19 the exemption used Python's str.endswith(('health', 'ready')) against request.url.path. This is a classic CWE-863 (Incorrect Authorization) flaw: because resource endpoints such as /api/variables/name/{name}, /api/flows, /api/work_pools, /api/work_queues, and /api/deployments embed user-controlled identifiers in the path, an attacker can craft a resource name like 'system-health' or 'prod-ready' so the resulting URL satisfies the suffix predicate and bypasses auth entirely. The patched code (commit e21617125335025b4b27e7d6f0ca028e8e8f3b79) hardens this by (1) restricting exempted paths to the exact set {health_check_path, '/ready'} and (2) reading scope['path'] minus root_path rather than request.url.path, which the regression tests show was spoofable through a crafted Host header like 'localhost/health?'.

RemediationAI

Upstream fix available (commit e21617125335025b4b27e7d6f0ca028e8e8f3b79); a released patched version is not independently confirmed in the provided data, so administrators should upgrade to the first prefecthq/prefect release that contains that commit (any version newer than 3.6.19 carrying the fix) and verify by checking that src/prefect/server/api/server.py uses exact-path matching against {health_check_path, '/ready'} rather than endswith(('health','ready')). Until the upgrade is applied, place the Prefect server behind a reverse proxy (nginx, Envoy, or an ingress controller) and add an explicit allowlist that only forwards GET /api/health and GET /api/ready without auth while requiring authentication on every other path - note this duplicates middleware logic and must be kept in sync with Prefect's own health-check path setting. As a stricter alternative, block external access to /api/variables/name/*, /api/flows/*, /api/work_pools/*, /api/work_queues/*, and /api/deployments/* at the proxy and audit existing resource names for any ending in 'health' or 'ready'; the trade-off is that legitimate clients with such names will break until renamed. Refer to the huntr advisory at https://huntr.com/bounties/c540e5e1-f74f-44f4-bfa0-9764ff6daa75 for the disclosure timeline.

Share

CVE-2026-3514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy