Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component.
AnalysisAI
Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via specially crafted commit_sha or directories parameters in the GitRepository Pull Handler (src/prefect/runner/storage.py). An attacker can inject git flags like --upload-pack or --config to achieve remote code execution with the privileges of the Prefect runner process. Publicly available exploit code exists, and the vendor has released a patched version (3.6.25.dev7) that validates commit SHA format and adds command-line argument separators to block injection.
Technical ContextAI
The vulnerability exists in the GitRepository class within Prefect's runner storage module, which handles pulling code from remote git repositories. The affected code constructs git sparse-checkout commands by directly concatenating user-supplied commit_sha and directories parameters into command arrays passed to subprocess execution functions. The root cause (CWE-88: Argument Injection) stems from insufficient input validation-attackers can inject git command-line flags (prefixed with -- or -) that are interpreted as options rather than literal directory names or commit references. The patch addresses this by: (1) validating commit_sha against a regex pattern allowing only hexadecimal characters (4-64 chars, supporting SHA-1 and SHA-256), (2) adding a -- argument separator before the directories list to force git to treat all following arguments as positional parameters rather than flags, and (3) issuing a warning if directories contain suspicious double-dash prefixes. This is a classic shell/command-injection pattern where input sanitization bypasses lead to arbitrary option injection in subprocess commands.
RemediationAI
Upgrade Prefect to version 3.6.25.dev7 or later immediately. Vendor-released patch: 3.6.25.dev7 (commit 6a9d9918716ce4ee0297b69f3046f7067ef1faae, PR #21384). Until upgrade is possible, restrict network access to Prefect runners and enforce strong authentication and role-based access control to limit who can invoke GitRepository operations with user-controlled parameters. Implement audit logging on all Prefect runner API calls to detect suspicious commit_sha or directories parameters (watch for hex validation failures or -- prefixes). Review any deployed Prefect configurations where GitRepository is instantiated with dynamic or user-provided parameters and temporarily pin them to known-safe hardcoded values. Note that workarounds do not fully mitigate the risk-patching is strongly recommended. See vendor advisory at https://github.com/PrefectHQ/prefect for additional security guidance.
Cross-Site Request Forgery (CSRF) in GitHub repository prefecthq/prefect prior to 2.16.5. Rated high severity (CVSS 8.8)
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send event
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check
Time-of-check time-of-use (TOCTOU) vulnerability in Prefect's validate_restricted_url function allows remote attackers w
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26880