CVE-2026-3515 - Vulnerability Details

Description

A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.

Published: 2026-05-24

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the GitHubRepository block of the prefect-github integration, where the reference field is directly concatenated into a git clone command string without sanitization. After building the command, shlex.split() parses it, allowing an attacker to inject arbitrary git options such as -c. This injection can lead to Server‑Side Request Forgery, credential theft, or in the worst case remote code execution. The flaw is a classic argument‑injection problem identified as CWE‑88.

Affected Systems

The affected product is Prefect, specifically the prefecthq/prefect GitHub integration, version 3.6.18. Only the GitHub integration is vulnerable; GitLab and BitBucket integrations use safer, list‑based command construction and are not impacted.

Risk and Exploitability

The flaw receives a CVSS score of 8.5, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote or via malicious configuration: an attacker who supplies a crafted reference string can trigger the vulnerable command during repository cloning, potentially enabling SSRF, credential leakage, or RCE. No exploitation evidence is reported, but the high severity and the nature of the flaw warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

prefecthq

prefecthq/prefect

affected

Version	Status	Constraints
`unspecified`	affected	≤ latest

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Prefect to a version beyond 3.6.18 where the repository reference sanitization patch has been applied.
If an upgrade cannot be performed immediately, restrict the use of the GitHub integration to authorized users only and apply validation rules to the reference field, ensuring it does not contain dangerous git options.
Implement network controls or firewall rules to block undesired outbound traffic from Prefect workers, mitigating potential SSRF caused by malformed reference entries.

Generated by OpenCVE AI on May 24, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00095.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://huntr.com/bounties/f3b048b8-7f4e-45ef-a5a7-cb841c39acde

History

Sun, 24 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.
Title		Argument Injection in prefecthq/prefect
Weaknesses		CWE-88
References		https://huntr.com/bounties/f3b048b8-7f4e-45ef-a5a7-cb841c39acde
Metrics		cvssV3_0 `{'score': 8.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-05-24T03:32:32.001Z

Updated: 2026-05-24T03:32:32.001Z

Reserved: 2026-03-04T15:06:23.397Z

Link: CVE-2026-3515

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-24T06:30:05Z

Weaknesses

CWE-88

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object