CVE-2026-3514 - Vulnerability Details

- Authentication Bypass in prefecthq/prefect

Description

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.

Published: 2026-06-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Prefect 3.6.19 the authentication middleware incorrectly exempts any URL path that ends with the strings "health" or "ready" from authentication checks. This flaw allows an attacker to create a resource whose name ends with those strings and then access that resource without needing to authenticate. The breach enables disclosure of confidential information, such as API keys and database credentials, that are stored in Prefect Variables. The weakness is classified as CWE-863, an authorization bypass through user-controlled keys.

Affected Systems

The vulnerability affects the Prefect Prefect product, version 3.6.19. Endpoints impacted include those that create or manage variables, flows, work pools, work queues, and deployments. No other product versions or vendors are currently known to be affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score is not available, and the issue is not yet listed in the CISA KEV catalog, but the lack of authentication enforcement presents a clear attack path. An attacker with network access to the Prefect API can create resources with names ending in "health" or "ready" and subsequently retrieve those resources without authentication, directly exposing sensitive configuration data. The potential for exploitation is significant given the simplicity of crafting such requests and the critical nature of the data that can be accessed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

prefecthq

prefecthq/prefect

affected

Version	Status	Constraints
`unspecified`	affected	< 3.6.22

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Prefect to the latest version that removes the URL path exemption bug.
If an upgrade is not immediately possible, reconfigure the authentication middleware so that endpoints ending with "health" or "ready" still require proper authentication and remove any exemption logic.
Audit existing Prefect deployments to identify and rename resources whose names end with "health" or "ready", then apply authentication controls or delete them if not needed.
Monitor API traffic for anomalous requests to resource paths ending with "health" or "ready" and investigate any unexpected activity.

Generated by OpenCVE AI on June 2, 2026 at 09:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/prefecthq/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79
https://huntr.com/bounties/c540e5e1-f74f-44f4-bfa0-9764ff6daa75

History

Tue, 02 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.
Title		Authentication Bypass in prefecthq/prefect
Weaknesses		CWE-863
References		https://github.com/prefecthq/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 https://huntr.com/bounties/c540e5e1-f74f-44f4-bfa0-9764ff6daa75
Metrics		cvssV3_0 `{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-06-02T07:28:33.260Z

Updated: 2026-06-02T13:13:11.889Z

Reserved: 2026-03-04T15:03:15.653Z

Link: CVE-2026-3514

Vulnrichment

Updated: 2026-06-02T13:12:02.871Z

NVD

Status : Awaiting Analysis

Published: 2026-06-02T09:16:16.100

Modified: 2026-06-02T14:35:45.167

Link: CVE-2026-3514

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T09:30:05Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object