Skip to main content

Prefect EUVDEUVD-2026-38128

| CVE-2026-5366 CRITICAL
Code Injection (CWE-94)
2026-06-20 @huntr_ai GHSA-7pm4-56h2-5rxr
9.9
CVSS 3.0 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable Prefect API, low-priv deployment author (PR:L), no UI; argument injection breaks out of Prefect's auth scope onto the worker (S:C) with full RCE giving high CIA.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 05:53 vuln.today

DescriptionCVE.org

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commit_sha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as --upload-pack, enabling execution of external programs. Additionally, the directories parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.

AnalysisAI

Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a -- separator or validation, letting attackers smuggle flags such as --upload-pack to execute external programs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain deployment-creation role in workspace
Delivery
Create deployment with GitRepository storage
Exploit
Inject `--upload-pack=<payload>` into commit_sha or flag into directories
Execution
Worker invokes git with attacker-controlled flag
Persist
git spawns attacker binary on worker host
Impact
Pivot to co-tenant secrets and flow code

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an account with permission to create or edit a Prefect deployment in the target workspace, (2) that deployment using the GitRepository storage class so the attacker-controlled commit_sha or directories values reach the git subprocess, and (3) a worker that subsequently picks up the run - most impactful when a single work pool is shared across tenants. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS:3.0 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9) is consistent with the description: an authenticated low-privilege Prefect user reaches the worker over the network through deployment configuration, breaks out of the Prefect trust scope onto the worker host, and gains full CIA impact - the scope change is genuine because the attacker's principal differs from the compromised worker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer with deployment-creation rights in a shared Prefect workspace creates a deployment whose GitRepository.commit_sha is set to something like `--upload-pack=/tmp/payload.sh` (or a similar `--exec`/`--upload-pack` flag), pointing the git remote at an attacker-controlled URL. When any tenant's flow run is scheduled onto the shared worker, the worker invokes git with the injected flag, executing the attacker's binary as the worker process and yielding code execution on the host. …
Remediation No vendor-released patch identified at time of analysis; monitor https://huntr.com/bounties/e2e88a0f-a8f6-49c9-94c5-e98dc385f07a, https://nvd.nist.gov/vuln/detail/CVE-2026-5366, and the PrefectHQ release notes for a fixed version above 3.6.23 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit and restrict deployment-creation permissions to essential administrators only; monitor Prefect worker machines for suspicious process execution and git invocations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy