Prefect 3.6.23 allows remote code execution because the GitRepository storage class passes a user‑controlled commit_sha value directly to git without validation or a separating double hyphen. Attackers can inject arbitrary git flags such as --upload-pack, which causes git to execute external programs. The directories parameter can similarly be abused during sparse‑checkout. Any user with deployment‑creation rights can use these inputs to run arbitrary commands on worker machines, subverting shared work‑pool isolation.

The affected product is Prefect version 3.6.23 from prefecthq/prefect. No other versions or vendors are listed as affected. Users on that release should immediately verify the installed version.

The CVSS score of 9.9 indicates critical severity, and although EPSS information is not available, the lack of a KEV listing does not diminish the risk because the exploitation requires only deployment‑creation permissions, which, based on the description, is inferred to be granted broadly in multi‑tenant environments. An attacker who can create or modify a deployment can inject git flags and hence execute code on any worker executing that deployment. The impact is complete loss of confidentiality, integrity, and availability on those worker nodes, and the threat can affect all deployments within a shared pool.