Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable Prefect API, low-priv deployment author (PR:L), no UI; argument injection breaks out of Prefect's auth scope onto the worker (S:C) with full RCE giving high CIA.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commit_sha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as --upload-pack, enabling execution of external programs. Additionally, the directories parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.
AnalysisAI
Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a -- separator or validation, letting attackers smuggle flags such as --upload-pack to execute external programs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an account with permission to create or edit a Prefect deployment in the target workspace, (2) that deployment using the GitRepository storage class so the attacker-controlled commit_sha or directories values reach the git subprocess, and (3) a worker that subsequently picks up the run - most impactful when a single work pool is shared across tenants. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS:3.0 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (9.9) is consistent with the description: an authenticated low-privilege Prefect user reaches the worker over the network through deployment configuration, breaks out of the Prefect trust scope onto the worker host, and gains full CIA impact - the scope change is genuine because the attacker's principal differs from the compromised worker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with deployment-creation rights in a shared Prefect workspace creates a deployment whose GitRepository.commit_sha is set to something like `--upload-pack=/tmp/payload.sh` (or a similar `--exec`/`--upload-pack` flag), pointing the git remote at an attacker-controlled URL. When any tenant's flow run is scheduled onto the shared worker, the worker invokes git with the injected flag, executing the attacker's binary as the worker process and yielding code execution on the host. … |
| Remediation | No vendor-released patch identified at time of analysis; monitor https://huntr.com/bounties/e2e88a0f-a8f6-49c9-94c5-e98dc385f07a, https://nvd.nist.gov/vuln/detail/CVE-2026-5366, and the PrefectHQ release notes for a fixed version above 3.6.23 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and restrict deployment-creation permissions to essential administrators only; monitor Prefect worker machines for suspicious process execution and git invocations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prefecthq Prefect
View allSame weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38128
GHSA-7pm4-56h2-5rxr