{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/prefecthq/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7723"}],"_cs_exploited":false,"_cs_products":["prefect (\u003c= 3.6.13)"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-7723","authentication-bypass","websocket","prefecthq"],"_cs_type":"advisory","_cs_vendors":["PrefectHQ"],"content_html":"\u003cp\u003ePrefectHQ Prefect, a workflow management system, is vulnerable to an authentication bypass vulnerability identified as CVE-2026-7723. The vulnerability exists in versions up to 3.6.13 and stems from a flaw within the \u003ccode\u003e/api/events/in\u003c/code\u003e WebSocket endpoint. A remote attacker can manipulate data sent to this endpoint, leading to a failure in authentication checks. This can allow the attacker to perform unauthorized actions within the Prefect system. The vulnerability was published on 2026-05-04 and a patch is available in version 3.6.14, specifically commit \u003ccode\u003e0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40\u003c/code\u003e. Defenders should upgrade affected Prefect installations to version 3.6.14 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a PrefectHQ Prefect instance running a vulnerable version (\u0026lt;= 3.6.13) with an exposed \u003ccode\u003e/api/events/in\u003c/code\u003e WebSocket endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious WebSocket message specifically targeting the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the manipulated message to the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the authentication checks within the WebSocket endpoint fail to properly validate the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe Prefect system incorrectly processes the attacker\u0026rsquo;s request as authenticated.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits this lack of authentication to execute unauthorized actions within the Prefect system. These actions could include modifying workflows, accessing sensitive data, or disrupting operations.\u003c/li\u003e\n\u003cli\u003eThe attacker may further leverage their access to compromise other connected systems or data stores.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7723 allows an unauthenticated remote attacker to bypass authentication mechanisms in PrefectHQ Prefect. This can lead to unauthorized access to sensitive data, modification of workflows, and disruption of critical business processes. The CVSS v3.1 base score is 7.3, indicating a high severity vulnerability. The number of affected organizations depends on the adoption rate of PrefectHQ Prefect, but any organization running a vulnerable version is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PrefectHQ Prefect to version 3.6.14 or later to apply the patch (\u003ccode\u003e0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40\u003c/code\u003e) that resolves CVE-2026-7723.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/api/events/in\u003c/code\u003e endpoint to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect PrefectHQ Auth Bypass Attempt\u003c/code\u003e to identify unusual requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit by restricting access to sensitive resources from the Prefect server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-prefect-auth-bypass/","summary":"PrefectHQ Prefect versions up to 3.6.13 are vulnerable to an authentication bypass via manipulation of the /api/events/in WebSocket endpoint, potentially allowing remote attackers to execute unauthorized actions.","title":"PrefectHQ Prefect Authentication Bypass Vulnerability (CVE-2026-7723)","url":"https://feed.craftedsignal.io/briefs/2024-01-30-prefect-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Prefecthq","version":"https://jsonfeed.org/version/1.1"}