Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. It is recommended to upgrade the affected component.
AnalysisAI
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.
Technical ContextAI
Prefect is a workflow orchestration platform that uses WebSocket connections for real-time event streaming via the /api/events/in endpoint. The vulnerability exists in the events client component (src/prefect/events/clients.py) and server subscription handler (src/prefect/server/utilities/subscriptions.py). The root cause is CWE-306 (Missing Authentication for Critical Function): the WebSocket connection was accepting client connections without validating authentication tokens before processing event submissions. The fix introduces a 'prefect' subprotocol requirement and implements an authentication handshake where clients must send an auth message with a valid token immediately after connection establishment, and the server validates the response before proceeding. This addresses the missing authentication check that allowed unauthenticated access to what should be a protected endpoint.
RemediationAI
Vendor-released patch: upgrade to Prefect version 3.6.14 or later, available at https://github.com/PrefectHQ/prefect/releases/tag/3.6.14 (commit 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40). For organizations unable to immediately upgrade, restrict network access to the /api/events/in WebSocket endpoint using network segmentation or firewall rules, allowing only trusted internal clients. Alternatively, if the Prefect API authentication feature is not required for your deployment, it can be disabled (which enables legacy mode that accepts unauthenticated connections), but this reduces security posture and should only be considered as a temporary mitigation. Verify after upgrade that authentication validation is enforced by confirming WebSocket connections without valid authentication tokens are rejected with WS_1002_PROTOCOL_ERROR responses.
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5. Rated high severity (CVSS 8.8)
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check
Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via spe
Time-of-check time-of-use (TOCTOU) vulnerability in Prefect's validate_restricted_url function allows remote attackers w
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26877