By vendor

Prefect vulnerabilities

Known CVEs affecting Prefect products, prioritized by severity, with SEC.co remediation and detection guidance.

1 published vulnerability

  • CVE-2026-3514HIGH 7.5

    Prefect version 3.6.19 contains an authentication bypass vulnerability in its health check exemption logic. The system automatically skips authentication for any URL path ending in 'health' or 'ready', a design meant to allow infrastructure monitoring. An attacker can exploit this by creating resources—such as variables, flows, work pools, work queues, or deployments—with names ending in those keywords, then access them without credentials. This can expose sensitive secrets like API keys and database passwords that are stored in Prefect Variables.