Description
A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prefect HQ's Prefect software versions up to 3.6.21 contain a flaw in the Health Check API endpoint /api/health. By manipulating the endswith function the attacker can bypass authentication controls and gain remote access. Public exploit code is available, and the vulnerability has not yet been listed in CISA’s KEV catalog. A patch in commit e21617125335025b4b27e7d6f0ca028e8e8f3b79 was released in version 3.6.22 to fix the issue.

Affected Systems

This issue affects PrefectHQ Prefect versions up to and including 3.6.21. Users running any of those releases are vulnerable until they upgrade to 3.6.22 or later.

Risk and Exploitability

The flaw has a CVSS score of 6.9, indicating moderate severity. The attack can be carried out remotely from anywhere that can reach the API endpoint. Public exploit code is available, and the vulnerability is not currently listed in CISA’s KEV catalog. The EPSS score is less than 1%, implying a low probability of exploitation, but the presence of a public exploit raises the risk for exposed deployments.

Generated by OpenCVE AI on May 4, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Prefect to version 3.6.22 or later to apply the vendor patch.
  • Limit exposure of the /api/health endpoint by enforcing authentication or restricting network access to trusted networks.
  • Monitor server logs for suspicious requests to /api/health to detect potential exploitation attempts.

Generated by OpenCVE AI on May 4, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. Upgrading the affected component is recommended. A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. Upgrading the affected component is recommended.
Title PrefectHQ prefect Health Check API health endswith improper authentication
First Time appeared Prefect
Prefect prefect
Weaknesses CWE-287
CPEs cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*
Vendors & Products Prefect
Prefect prefect
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Prefect Prefect
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T21:17:46.743Z

Reserved: 2026-05-03T09:18:12.918Z

Link: CVE-2026-7722

cve-icon Vulnrichment

Updated: 2026-05-04T12:56:19.951Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T03:16:12.967

Modified: 2026-05-04T22:16:19.803

Link: CVE-2026-7722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T22:30:09Z

Weaknesses