Search for packages
| purl | pkg:pypi/prefect@3.6.5.dev4 |
| Next non-vulnerable version | 3.6.28.dev2 |
| Latest non-vulnerable version | 3.6.28.dev2 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2urt-a6hm-b7aj
Aliases: CVE-2026-7724 GHSA-p3pq-hxmr-vqqr |
Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. |
Affected by 0 other vulnerabilities. |
|
VCID-j1wy-2r5b-7fd4
Aliases: CVE-2026-7725 GHSA-6rcx-55r6-jx65 |
Prefect Git Argument Injection in GitRepository Pull Steps A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. |
Affected by 1 other vulnerability. |
|
VCID-nmjg-h8k6-myee
Aliases: CVE-2026-7722 GHSA-6rr6-v7cj-mxpg |
Prefect Auth Bypass via endswith() Health Check Exemption A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. Upgrading the affected component is recommended. |
Affected by 2 other vulnerabilities. |
|
VCID-q76q-pfq1-p3f9
Aliases: CVE-2026-7723 GHSA-hvph-5985-r63v |
Prefect Unauthenticated Event Injection via /api/events/in WebSocket A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. It is recommended to upgrade the affected component. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T08:25:10.497392+00:00 | GitLab Importer | Affected by | VCID-nmjg-h8k6-myee | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/prefect/CVE-2026-7722.yml | 38.6.0 |
| 2026-06-06T08:25:05.061775+00:00 | GitLab Importer | Affected by | VCID-2urt-a6hm-b7aj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/prefect/CVE-2026-7724.yml | 38.6.0 |
| 2026-06-06T08:24:56.233797+00:00 | GitLab Importer | Affected by | VCID-q76q-pfq1-p3f9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/prefect/CVE-2026-7723.yml | 38.6.0 |
| 2026-06-06T08:24:49.765280+00:00 | GitLab Importer | Affected by | VCID-j1wy-2r5b-7fd4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/prefect/CVE-2026-7725.yml | 38.6.0 |