Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8Blast Radius
ecosystem impact- 2 pypi packages depend on prefect (2 direct, 1 indirect)
Ecosystem-wide dependent count for version 3.6.22.
DescriptionCVE.org
A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. Upgrading the affected component is recommended.
AnalysisAI
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check API endpoint by manipulating the request path suffix matching logic. The vulnerability affects the /api/health endpoint's improper authentication validation using the endswith() function, enabling attackers to craft requests that bypass authentication checks. Publicly available exploit code exists and the vendor has released patch version 3.6.22.
Technical ContextAI
Prefect's Health Check API middleware used suffix-based path matching via request.url.path.endswith(("health", "ready")) to exempt health probe requests from authentication. This implementation is vulnerable to two attack vectors: first, attacker-controlled paths ending in "health" or "ready" (e.g., /api/variables/name/system-health) would bypass authentication despite not being legitimate health endpoints; second, HTTP Host header manipulation could spoof the request.url.path value, allowing attackers to craft paths that appear to end with health/ready while accessing protected endpoints. The root cause is CWE-287 (Improper Authentication), stemming from reliance on URL suffix matching rather than exact path validation and trusting request.url.path which can be reconstructed from the Host header. The fix changes to exact path matching using scope["path"] (which is not spoofable) against a predefined set {/health, /ready}, eliminating both bypass vectors.
RemediationAI
Upgrade to Prefect version 3.6.22 or later immediately. The patched version replaces suffix-based path matching with exact path comparison against a whitelist of {/health, /ready} endpoints and uses scope["path"] instead of request.url.path to prevent Host header spoofing. For organizations unable to upgrade immediately, implement network-level access controls by restricting access to the /api/health and /api/ready endpoints to trusted health probe sources only (e.g., Kubernetes node IPs, monitoring infrastructure). This workaround requires identifying all legitimate health probe clients and maintaining firewall rules accordingly, with the trade-off that legitimate probes from unexpected sources will be blocked. Additionally, disable authentication exemption entirely by removing the PREFECT_SERVER_API_AUTH_STRING setting if health probes can be configured to provide credentials, though this may require changes to monitoring infrastructure. Patch availability is confirmed: vendor-released patch version 3.6.22 at https://github.com/PrefectHQ/prefect/releases/tag/3.6.22.
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5. Rated high severity (CVSS 8.8)
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send event
Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via spe
Time-of-check time-of-use (TOCTOU) vulnerability in Prefect's validate_restricted_url function allows remote attackers w
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26875