HIGH 7.5

CVE-2026-3514: Prefect 3.6.19 Authentication Bypass via Health Check Exemptions

Prefect version 3.6.19 contains an authentication bypass vulnerability in its health check exemption logic. The system automatically skips authentication for any URL path ending in 'health' or 'ready', a design meant to allow infrastructure monitoring. An attacker can exploit this by creating resources—such as variables, flows, work pools, work queues, or deployments—with names ending in those keywords, then access them without credentials. This can expose sensitive secrets like API keys and database passwords that are stored in Prefect Variables.

Source data · NVD / CISA · public domain

CVSS
3.0 · 7.5 HIGH · CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from overly broad path-based authentication exemptions in Prefect's middleware. The authentication layer exempts all paths ending with 'health' or 'ready' to support Kubernetes and monitoring tool health probes. However, this exemption is applied at the URL path level without validating whether the requested resource is actually a legitimate health check endpoint. An attacker can craft a resource name ending in 'health' or 'ready' (for example, a variable named 'database_password_health'), and the authentication middleware will allow access to that resource's API endpoint without requiring valid credentials. The vulnerability affects multiple resource types including variables, flows, work pools, work queues, and deployments—all of which may store or reference sensitive configuration data.

Business impact

This vulnerability poses a direct risk to organizations running Prefect for workflow orchestration. Prefect Variables commonly store secrets, credentials, and configuration that power automated deployments and integrations. Unauthenticated access to these resources could expose database credentials, API keys for external services, encryption keys, and other sensitive operational data. The impact is particularly severe because Prefect environments often integrate with critical infrastructure, cloud platforms, and data systems. A compromise could enable lateral movement, credential theft, or unauthorized modification of workflow configurations. Organizations should prioritize assessment of their Prefect deployments to determine exposure and blast radius.

Affected systems

Prefect version 3.6.19 is confirmed affected. Users of Prefect running this specific version should assume they are vulnerable unless they have already applied a patch or implement a mitigating control. Given that this is a relatively recent version (published June 2026), it is likely deployed in active environments. The vulnerability affects Prefect deployments regardless of hosting model (self-hosted or cloud), provided the vulnerable code is in use.

Exploitability

This vulnerability is straightforward to exploit and requires no authentication, special privileges, or user interaction. An attacker with network access to the Prefect API can immediately craft malicious requests to resource endpoints with names ending in 'health' or 'ready'. The low complexity attack vector (network-accessible API, no authentication barrier) makes this a high-confidence exploitation scenario. No advanced techniques or specialized tools are required beyond standard HTTP requests. Organizations should treat this as a high-priority containment issue.

Remediation

Upgrade Prefect to a patched version released after 3.6.19 that implements proper authentication checks on all resource endpoints, regardless of path naming conventions. Verify the exact patched version number against the official Prefect advisory and release notes. As an interim mitigation, implement network-level access controls to restrict API access to trusted clients only, and monitor for suspicious API requests targeting resources with 'health' or 'ready' suffixes. Review audit logs for any unauthorized access attempts or data exfiltration.

Patch guidance

Consult the official Prefect security advisory and release notes to identify the specific patched version that addresses CVE-2026-3514. Apply the patch to all Prefect instances running version 3.6.19. Test the patch in a staging environment before rolling out to production to ensure no workflow disruptions. Verify that the patched version properly enforces authentication on all API endpoints, including those for variables, flows, and deployments. After patching, rotate any secrets that may have been exposed during the vulnerability window.

Detection guidance

Search API access logs for requests to endpoints containing '/health' or '/ready' that originated from unauthorized or external sources. Look for requests to variable, flow, work pool, work queue, or deployment endpoints with these suffixes in the resource name, particularly those that succeeded without authentication headers. Monitor for unusually high volumes of API requests to these endpoints, which may indicate reconnaissance or data harvesting. Set up alerts for any successful unauthenticated API responses from these paths. If Prefect audit logging is available, review for unauthorized access patterns during the vulnerability exposure period.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high CVSS score (7.5), complete lack of authentication requirement, trivial exploitability, and direct exposure of sensitive secrets. The attack surface is broad (multiple resource types affected) and requires no user interaction or specialized skills to exploit. Organizations storing database credentials, API keys, or encryption keys in Prefect Variables face material risk of credential compromise. The recent publication date suggests active deployment in production environments.

Risk score, explained

The CVSS 3.0 score of 7.5 (HIGH) reflects a network-accessible attack requiring no authentication or user interaction (AV:N, PR:N, UI:N), with high confidentiality impact (C:H) from unauthorized access to sensitive stored data. No integrity or availability impact is directly caused by the vulnerability itself, though credential compromise could enable subsequent malicious actions. The score appropriately captures the severity of unauthenticated secret exposure in an orchestration platform.

Frequently asked questions

Can this vulnerability be exploited without network access to the Prefect API?

No. The vulnerability requires direct network access to the Prefect API endpoints. However, if the API is exposed to the internet or accessible from untrusted networks, the attack surface is very large. Organizations should verify their API exposure and network segmentation.

Does this only affect cloud-hosted Prefect, or does it also affect self-hosted deployments?

Both cloud-hosted and self-hosted Prefect deployments are affected if running version 3.6.19. The vulnerability exists in the core authentication middleware regardless of hosting model.

What types of secrets are typically stored in Prefect Variables?

Prefect Variables commonly store database connection strings, API keys for cloud services, encryption keys, service account credentials, and other configuration secrets needed by workflows. Any of these could be compromised via this vulnerability.

If we're running an older version of Prefect, are we affected?

This vulnerability is specific to version 3.6.19. Verify your running version against your deployment manifests or administrative console. If you are running a different version, consult the Prefect security advisory to determine if that version is affected, as other versions may have been patched or may have their own security considerations.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation prioritization. Verify all technical details, patch versions, and affected product versions against official vendor advisories before taking action. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific Prefect deployment configuration, data sensitivity, and network environment. This document does not constitute security advice and should not be relied upon as a substitute for professional security consultation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).