Skip to main content

Prefect CVE-2026-7725

| EUVDEUVD-2026-26880 LOW
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
PoC Detected
May 04, 2026 - 15:18 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 05:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 04, 2026 - 05:00 vuln.today
Analysis Generated
May 04, 2026 - 05:00 vuln.today
EUVD ID Assigned
May 04, 2026 - 04:30 euvd
EUVD-2026-26880
Analysis Generated
May 04, 2026 - 04:30 vuln.today
Patch released
May 04, 2026 - 04:30 nvd
Patch available
CVE Published
May 04, 2026 - 03:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component.

AnalysisAI

Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via specially crafted commit_sha or directories parameters in the GitRepository Pull Handler (src/prefect/runner/storage.py). An attacker can inject git flags like --upload-pack or --config to achieve remote code execution with the privileges of the Prefect runner process. Publicly available exploit code exists, and the vendor has released a patched version (3.6.25.dev7) that validates commit SHA format and adds command-line argument separators to block injection.

Technical ContextAI

The vulnerability exists in the GitRepository class within Prefect's runner storage module, which handles pulling code from remote git repositories. The affected code constructs git sparse-checkout commands by directly concatenating user-supplied commit_sha and directories parameters into command arrays passed to subprocess execution functions. The root cause (CWE-88: Argument Injection) stems from insufficient input validation-attackers can inject git command-line flags (prefixed with -- or -) that are interpreted as options rather than literal directory names or commit references. The patch addresses this by: (1) validating commit_sha against a regex pattern allowing only hexadecimal characters (4-64 chars, supporting SHA-1 and SHA-256), (2) adding a -- argument separator before the directories list to force git to treat all following arguments as positional parameters rather than flags, and (3) issuing a warning if directories contain suspicious double-dash prefixes. This is a classic shell/command-injection pattern where input sanitization bypasses lead to arbitrary option injection in subprocess commands.

RemediationAI

Upgrade Prefect to version 3.6.25.dev7 or later immediately. Vendor-released patch: 3.6.25.dev7 (commit 6a9d9918716ce4ee0297b69f3046f7067ef1faae, PR #21384). Until upgrade is possible, restrict network access to Prefect runners and enforce strong authentication and role-based access control to limit who can invoke GitRepository operations with user-controlled parameters. Implement audit logging on all Prefect runner API calls to detect suspicious commit_sha or directories parameters (watch for hex validation failures or -- prefixes). Review any deployed Prefect configurations where GitRepository is instantiated with dynamic or user-provided parameters and temporarily pin them to known-safe hardcoded values. Note that workarounds do not fully mitigate the risk-patching is strongly recommended. See vendor advisory at https://github.com/PrefectHQ/prefect for additional security guidance.

Share

CVE-2026-7725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy