CVE-2026-3514
Authentication Bypass in Prefect via Health Check Path Exemption
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prefecthq | prefect | 3.6.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In version 3.6.19 of prefecthq/prefect, there is an authentication bypass vulnerability caused by improper handling of URL path exemptions for health check probes.
The authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks, allowing attackers to create resource names ending with these strings and access them without authentication.
Affected endpoints include variables, flows, work pools, work queues, and deployments.
This flaw allows unauthorized access to sensitive information such as API keys and database credentials stored in Prefect Variables.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data within the Prefect system.
- Attackers can bypass authentication by exploiting the suffix-based exemption for URL paths ending with 'health' or 'ready'.
- They can access endpoints related to variables, flows, work pools, work queues, and deployments without proper authorization.
- Sensitive information such as API keys and database credentials stored in Prefect Variables may be exposed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any requests to Prefect endpoints with URL paths ending in "health" or "ready" are being allowed without authentication.
One way to detect this is to monitor network traffic or logs for requests to paths such as "/variables/*-health" or "/flows/*-ready" that do not require authentication.
You can use commands like curl to test if authentication is bypassed for crafted URLs. For example:
- curl -i http://<prefect-server>/variables/system-health
- curl -i http://<prefect-server>/flows/myflow-ready
If these requests return sensitive information without requiring authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update Prefect to a version that includes the fix where the authentication middleware checks for exact path matches rather than suffix matches.
The fix ensures that only exact paths "/health" or "/ready" are exempt from authentication, preventing unauthorized access via crafted paths.
Until the update can be applied, consider restricting access to Prefect endpoints at the network level, such as by using firewall rules or API gateways to enforce authentication on all paths.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive information such as API keys and database credentials stored in Prefect Variables. Unauthorized access to such sensitive data can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Specifically, the authentication bypass could result in exposure of confidential data, potentially violating data protection requirements and increasing the risk of data breaches.