CVE-2026-3514
Published:June 02, 2026
Updated:June 07, 2026
In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.
Affected Packages
prefect (CONDA):
Affected version(s) >=0.5.0 <3.6.23Fix Suggestion:
Update to version 3.6.23https://github.com/prefecthq/prefect.git (GITHUB):
Affected version(s) >=compat-tests-2.19.3 <3.6.22Fix Suggestion:
Update to version 3.6.22prefect (PYTHON):
Affected version(s) >=0.0.0 <3.6.22Fix Suggestion:
Update to version 3.6.22Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
EPSS
Base Score:
0.10