Description
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-05-04
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug is a classic time‑of‑check to time‑of‑use race condition in the Webhook/Notification validate_restricted_url function of Prefect. An attacker can supply a malicious URL that passes the initial restriction check, but before the URL is resolved the environment can be modified, causing the URL to point to an unintended location. This flaw is classified as CWE‑362 and CWE‑367 and allows a remote attacker to bypass the intended restriction on webhook destinations, potentially leading to unintended networking or data exfiltration, but it does not provide arbitrary code execution or system compromise.

Affected Systems

PrefectHQ Prefect versions up to and including 3.6.28.dev1 are affected. These snapshots are identified by the CPE of cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:* and are used by deployments that have not yet applied the fix commit 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. From 3.6.28.dev2 and later the issue is resolved.

Risk and Exploitability

The CVSS score of 2.3 reflects a low overall severity, and the EPSS score of <1% indicates limited exploitation pressure. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to reliably trigger a race condition from a remote target, a task described as high‑complexity and difficult to execute in practice. Consequently the likelihood of real‑world attacks is currently low, but it should still be remedied to eliminate the possibility of a URL restriction bypass.

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prefect to 3.6.28.dev2 or later, which includes the commit that fixes the validate_restricted_url flaw.
  • Restart Prefect services to load the updated code.
  • Apply network segmentation or firewall rules to limit inbound traffic to webhook endpoints, reducing exposure to remote attackers.

Generated by OpenCVE AI on May 4, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Mon, 04 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised.
Title PrefectHQ prefect Webhook/Notification validate_restricted_url toctou
First Time appeared Prefect
Prefect prefect
Weaknesses CWE-362
CWE-367
CPEs cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*
Vendors & Products Prefect
Prefect prefect
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Prefect Prefect
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T00:54:45.176Z

Reserved: 2026-05-03T09:18:19.872Z

Link: CVE-2026-7724

cve-icon Vulnrichment

Updated: 2026-05-05T00:54:39.228Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T03:16:13.317

Modified: 2026-05-04T22:16:20.087

Link: CVE-2026-7724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T23:30:11Z

Weaknesses