Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper sanitization, and then parsed by shlex.split(). This enables injection of options such as -c, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the aget_directory() and get_directory() methods in src/integrations/prefect-github/prefect_github/repository.py. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.
AnalysisAI
Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.
Technical ContextAI
The vulnerability exists in the prefect-github integration component of Prefect, an open-source workflow orchestration platform. The root cause is improper neutralization of special elements in command arguments (CWE-88), where the reference parameter in GitHubRepository blocks is concatenated into git command strings without validation. The code uses Python's shlex.split() to parse the command, but this occurs after the injection point, allowing attackers to inject git options like -c to execute arbitrary commands. The GitLab and BitBucket integrations are not affected as they use safer list-based command construction.
RemediationAI
No vendor-released patch identified at time of analysis. Until a patch is available, disable or restrict access to GitHubRepository blocks in Prefect deployments, particularly for untrusted users. If GitHub integration is required, implement input validation for the reference field at the application layer to reject special characters and command injection attempts. Consider migrating critical workflows to use GitLab or BitBucket integrations which are not affected by this vulnerability. Monitor git command execution logs for suspicious -c options or unexpected parameters. Apply principle of least privilege to Prefect service accounts to limit potential impact.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31563
GHSA-cw25-2p92-7f75