Skip to main content

Prefect CVE-2026-7723

| EUVDEUVD-2026-26877 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-04 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
PoC Detected
May 04, 2026 - 15:18 vuln.today
Public exploit code
Source Code Evidence Fetched
May 04, 2026 - 03:30 vuln.today
Analysis Generated
May 04, 2026 - 03:30 vuln.today
Severity Changed
May 04, 2026 - 03:22 NVD
HIGH MEDIUM
CVSS changed
May 04, 2026 - 03:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 03:00 euvd
EUVD-2026-26877
Analysis Generated
May 04, 2026 - 03:00 vuln.today
Patch released
May 04, 2026 - 03:00 nvd
Patch available
CVE Published
May 04, 2026 - 02:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. It is recommended to upgrade the affected component.

AnalysisAI

Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.

Technical ContextAI

Prefect is a workflow orchestration platform that uses WebSocket connections for real-time event streaming via the /api/events/in endpoint. The vulnerability exists in the events client component (src/prefect/events/clients.py) and server subscription handler (src/prefect/server/utilities/subscriptions.py). The root cause is CWE-306 (Missing Authentication for Critical Function): the WebSocket connection was accepting client connections without validating authentication tokens before processing event submissions. The fix introduces a 'prefect' subprotocol requirement and implements an authentication handshake where clients must send an auth message with a valid token immediately after connection establishment, and the server validates the response before proceeding. This addresses the missing authentication check that allowed unauthenticated access to what should be a protected endpoint.

RemediationAI

Vendor-released patch: upgrade to Prefect version 3.6.14 or later, available at https://github.com/PrefectHQ/prefect/releases/tag/3.6.14 (commit 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40). For organizations unable to immediately upgrade, restrict network access to the /api/events/in WebSocket endpoint using network segmentation or firewall rules, allowing only trusted internal clients. Alternatively, if the Prefect API authentication feature is not required for your deployment, it can be disabled (which enables legacy mode that accepts unauthenticated connections), but this reduces security posture and should only be considered as a temporary mitigation. Verify after upgrade that authentication validation is enforced by confirming WebSocket connections without valid authentication tokens are rejected with WS_1002_PROTOCOL_ERROR responses.

Share

CVE-2026-7723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy