CVE-2026-7723
HIGHPrefectHQ prefect WebSocket Endpoint in missing authentication
Title source: cnaDescription
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References (9)
Core 9
Core References
Vdb Entry vdb-entry
VDB-360899 | PrefectHQ prefect WebSocket Endpoint in missing authentication
https://vuldb.com/vuln/360899
Signature, Permissions Required signature
permissions-required
VDB-360899 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/360899/cti
Third Party Advisory third-party-advisory
Submit #807256 | PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication
https://vuldb.com/submit/807256
Exploit exploit
https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f
Patch issue-tracking
patch
https://github.com/PrefectHQ/prefect/pull/20372
Product product
https://github.com/PrefectHQ/prefect/
Scores
CVSS v3
7.3
EPSS
0.0011
EPSS Percentile
29.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
CWE-306
Status
published
Products (15)
PrefectHQ/prefect
3.6.0
PrefectHQ/prefect
3.6.1
PrefectHQ/prefect
3.6.10
PrefectHQ/prefect
3.6.11
PrefectHQ/prefect
3.6.12
PrefectHQ/prefect
3.6.13
PrefectHQ/prefect
3.6.14
PrefectHQ/prefect
3.6.2
PrefectHQ/prefect
3.6.3
PrefectHQ/prefect
3.6.4
... and 5 more
Published
May 04, 2026
Tracked Since
May 04, 2026