Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised.
AnalysisAI
Time-of-check time-of-use (TOCTOU) vulnerability in Prefect's validate_restricted_url function allows remote attackers with low privileges to bypass Server-Side Request Forgery (SSRF) protections via DNS rebinding attacks during webhook and notification delivery. Publicly available exploit code exists. The vulnerability affects Prefect versions up to 3.6.28.dev1 and is fixed in 3.6.28.dev2.
Technical ContextAI
The vulnerability exists in the webhook and notification components' URL validation logic (CWE-367: Improper Synchronization). The validate_restricted_url function performs initial DNS resolution and IP validation to prevent SSRF attacks targeting private addresses, but this validation occurs before the actual HTTP connection is established. An attacker can exploit the time gap between validation and connection by performing DNS rebinding: the hostname initially resolves to a public IP (passing validation), then resolves to a private IP (like 127.0.0.1 or 10.0.0.0/8) when the HTTP client actually establishes the connection. The fix implements SSRFProtectedAsyncHTTPTransport and SSRFProtectedHTTPTransport that re-validate the resolved IP at connection time and pin the connection to the pre-resolved address, eliminating the TOCTOU window. The patch also upgrades from socket.gethostbyname (which returns only the first A record) to socket.getaddrinfo (which validates all resolved addresses), closing an additional bypass where a hostname publishes both public and private records.
RemediationAI
Upgrade to Prefect version 3.6.28.dev2 or later, which includes the fix identified by commit 7c70ac54a5e101431d83b9f2681ec88d5e0021ed and released at https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2. The patch replaces simple DNS validation with SSRF-protected HTTP transports that re-validate resolved IPs at connection time and enforce IP pinning. No workarounds are available short of upgrading, as the vulnerability is structural to the validation-before-connection pattern. Organizations unable to upgrade immediately should restrict webhook and notification destinations to allowlisted fully-qualified domain names (FQDNs) that resolve only to public IP addresses, disable dynamic DNS for notification targets, and implement network segmentation to prevent HTTP clients from reaching internal services-these controls mitigate but do not eliminate the risk, as DNS rebinding can still occur within the allowed set.
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5. Rated high severity (CVSS 8.8)
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send event
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check
Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via spe
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26879