CVE-2026-7722

MEDIUM

PrefectHQ prefect Health Check API health endswith improper authentication

Title source: cna
STIX 2.1

Description

A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

References (9)

Core 9
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-360898 | PrefectHQ prefect Health Check API health endswith improper authentication
https://vuldb.com/vuln/360898
Signature, Permissions Required signature permissions-required
VDB-360898 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/360898/cti
Third Party Advisory third-party-advisory
Submit #807255 | PrefectHQ Perfect <=3.6.21 Improper Authentication
https://vuldb.com/submit/807255

Scores

CVSS v3 5.3
EPSS 0.0007
EPSS Percentile 22.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-287
Status published
Products (23)
PrefectHQ/prefect 3.6.0
PrefectHQ/prefect 3.6.1
PrefectHQ/prefect 3.6.10
PrefectHQ/prefect 3.6.11
PrefectHQ/prefect 3.6.12
PrefectHQ/prefect 3.6.13
PrefectHQ/prefect 3.6.14
PrefectHQ/prefect 3.6.15
PrefectHQ/prefect 3.6.16
PrefectHQ/prefect 3.6.17
... and 13 more
Published May 04, 2026
Tracked Since May 04, 2026