CVE-2026-7723

Summary

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Affected Software

VendorProductVersion RangeStatus
PrefectHQprefect3.6.0affected
PrefectHQprefect3.6.1affected
PrefectHQprefect3.6.2affected
PrefectHQprefect3.6.3affected
PrefectHQprefect3.6.4affected
PrefectHQprefect3.6.5affected
PrefectHQprefect3.6.6affected
PrefectHQprefect3.6.7affected
PrefectHQprefect3.6.8affected
PrefectHQprefect3.6.9affected
PrefectHQprefect3.6.10affected
PrefectHQprefect3.6.11affected
PrefectHQprefect3.6.12affected
PrefectHQprefect3.6.13affected
PrefectHQprefect3.6.14unaffected

Weaknesses

  • CWE-306: Missing Authentication
  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References