CVE-2026-7723
Received Received - Intake
Authentication Bypass in PrefectHQ Prefect via WebSocket Endpoint

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: VulDB

Description
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7723
EUVD
EUVD-2026-26877
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
prefecthq prefect to 3.6.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker to inject unauthorized events into the Prefect server by connecting to the /api/events/in WebSocket endpoint without authentication.

  • Unauthorized automation triggers could be executed, potentially disrupting workflows.
  • Event logs could be polluted with malicious or fake events, affecting observability and monitoring.
  • Overall disruption of the Prefect server's event processing and automation engine could occur.
Executive Summary

CVE-2026-7723 is a security vulnerability in Prefect versions up to 3.6.13 affecting the /api/events/in WebSocket endpoint. The flaw allows this endpoint to bypass authentication checks even when authentication is configured via the PREFECT_SERVER_API_AUTH_STRING environment variable. This means an attacker can connect remotely without credentials and send crafted events that the server will accept and process.

The vulnerability arises because the endpoint inconsistently enforces authentication, allowing unauthorized event injection. The issue is fixed in version 3.6.14 by enforcing strict authentication requirements, including requiring the 'prefect' subprotocol during the WebSocket handshake and validating authentication tokens before allowing connections.

Detection Guidance

The vulnerability involves unauthenticated access to the `/api/events/in` WebSocket endpoint in Prefect server versions up to 3.6.13. Detection can focus on monitoring WebSocket connections to this endpoint that do not perform the required authentication handshake or do not use the 'prefect' subprotocol when authentication is configured.

You can detect potential exploitation attempts by capturing WebSocket traffic and checking for connections to `/api/events/in` that lack the 'prefect' subprotocol or authentication messages.

  • Use network traffic capture tools like tcpdump or Wireshark to filter WebSocket handshake requests to the `/api/events/in` endpoint.
  • Example tcpdump command to capture WebSocket handshake HTTP requests to the endpoint (assuming default port 4200 or adjust accordingly):
  • tcpdump -i any -A 'tcp port 4200 and (((tcp[((tcp[12] & 0xf0) >> 2):4]) = 0x47455420))' | grep '/api/events/in'
  • Analyze captured HTTP headers for the presence of the 'Sec-WebSocket-Protocol' header containing 'prefect' and for authentication messages in the WebSocket payload.
  • Alternatively, use WebSocket client tools or scripts to attempt connections without authentication to test if the server improperly accepts unauthenticated connections.
Mitigation Strategies

The primary and recommended mitigation is to upgrade Prefect to version 3.6.14 or later, where the vulnerability has been fixed by enforcing proper authentication on the `/api/events/in` WebSocket endpoint.

If immediate upgrade is not possible, ensure that the `PREFECT_SERVER_API_AUTH_STRING` environment variable is properly configured to enable authentication, although this alone may not fully mitigate the issue in vulnerable versions.

Additionally, restrict network access to the Prefect server WebSocket endpoint to trusted clients only, using firewall rules or network segmentation to reduce exposure.

Monitor WebSocket connections for suspicious unauthenticated access attempts and consider implementing additional application-layer controls or proxies that enforce authentication.

Compliance Impact

The vulnerability in Prefect up to version 3.6.13 allows unauthenticated access to the /api/events/in WebSocket endpoint, which can lead to unauthorized event injection and manipulation of automation triggers or event logs.

Such unauthorized access and manipulation could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data and system integrity.

By allowing missing authentication, the vulnerability increases the risk of unauthorized data processing or disruption of audit logs, which are critical for regulatory compliance.

The fix in version 3.6.14 enforces consistent authentication on the affected endpoint, thereby helping to restore proper access controls and reduce compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart