Description
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in PrefectHQ Prefect’s WebSocket endpoint (/api/events/in). Manipulating the request payload can trigger the route to skip authentication, resulting in an authentication bypass typified by CWE‑287 and CWE‑306. This flaw permits unauthenticated access to a live WebSocket channel, enabling an attacker to perform actions such as injecting real‑time instructions or exfiltrating data; these effects are inferred from the nature of the WebSocket channel but are not directly stated in the CVE. The flaw is confined to versions up to 3.6.13 and requires only a crafted HTTP request that can be sent from a remote host.

Affected Systems

All installations of PrefectHQ Prefect version 3.6.13 or earlier are affected. The issue is tied to the WebSocket endpoint component and is fully resolved by upgrading to Prefect version 3.6.14 or later, which contains the commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 that restores proper authentication checks.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and the vulnerability can be exploited remotely as the attack originates from outside the network. The EPSS score of less than 1% denotes a very low exploitation probability. However, the CVE explicitly reports that exploitation code has been published and may be used, increasing the urgency of patching. Because authentication is missing, an attacker can reach the Prefect server from outside the network without credentials.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PrefectHQ Prefect to version 3.6.14 or newer to apply the official vendor fix that reinstates authentication checks and closes the bypass. The patch is identified by commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 and is available in the 3.6.14 release.
  • If an immediate upgrade is not possible, mitigate the risk by limiting network exposure of the WebSocket endpoint. Use firewall rules, network segmentation, or VPN access to restrict inbound traffic to trusted hosts or internal networks only, thereby reducing the attack surface. This measure leverages the missing authentication weakness (CWE‑306) by forcing legitimate traffic through secure channels.
  • Implement monitoring for unauthorized connection attempts to the WebSocket endpoint, and configure the Prefect server to deny requests that do not present the expected authentication tokens, thereby providing an additional checkpoint before the WebSocket logic is invoked.

Generated by OpenCVE AI on May 5, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. It is recommended to upgrade the affected component. A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. It is recommended to upgrade the affected component.
Title PrefectHQ prefect WebSocket Endpoint in missing authentication
First Time appeared Prefect
Prefect prefect
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*
Vendors & Products Prefect
Prefect prefect
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Prefect Prefect
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T21:17:54.417Z

Reserved: 2026-05-03T09:18:16.724Z

Link: CVE-2026-7723

cve-icon Vulnrichment

Updated: 2026-05-04T11:33:59.859Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T03:16:13.143

Modified: 2026-05-04T22:16:19.943

Link: CVE-2026-7723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T00:30:11Z

Weaknesses