CVE-2026-7722

Summary

A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Affected Software

VendorProductVersion RangeStatus
PrefectHQprefect3.6.0affected
PrefectHQprefect3.6.1affected
PrefectHQprefect3.6.2affected
PrefectHQprefect3.6.3affected
PrefectHQprefect3.6.4affected
PrefectHQprefect3.6.5affected
PrefectHQprefect3.6.6affected
PrefectHQprefect3.6.7affected
PrefectHQprefect3.6.8affected
PrefectHQprefect3.6.9affected
PrefectHQprefect3.6.10affected
PrefectHQprefect3.6.11affected
PrefectHQprefect3.6.12affected
PrefectHQprefect3.6.13affected
PrefectHQprefect3.6.14affected
PrefectHQprefect3.6.15affected
PrefectHQprefect3.6.16affected
PrefectHQprefect3.6.17affected
PrefectHQprefect3.6.18affected
PrefectHQprefect3.6.19affected
PrefectHQprefect3.6.20affected
PrefectHQprefect3.6.21affected
PrefectHQprefect3.6.22unaffected

Weaknesses

  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References