| عنوان | PrefectHQ Perfect <=3.6.21 Improper Authentication |
|---|
| الوصف | Vulnerability Report: Prefect Server Authentication Bypass
Title: Prefect Server Authentication Bypass via Insecure Health Check Suffix Matching
Product: Prefect (PrefectHQ/prefect)
Affected Versions: 3.x prior to 3.6.22
Condition: Occurs when PREFECT_SERVER_API_AUTH_STRING is enabled.
CWE: CWE-287, CWE-183
CVSS 3.1: 5.3 (Medium) - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description:
The authentication middleware in affected versions of Prefect Server incorrectly uses a suffix matching check to exempt health probes from authentication. Specifically, the code uses .endswith(("health", "ready")) on the request path. This allows an unauthenticated attacker to bypass authentication for any GET request where the final path segment ends with "health" or "ready".
Impact:
This vulnerability allows unauthenticated access to sensitive metadata, including flow configurations, work pool details, and variable values (which may contain secrets), provided the resource name matches the exempted suffix.
Proof of Concept:
A request to a protected variable demonstrates the bypass:
- GET /api/variables/name/test returns 401 (Unauthorized)
- GET /api/variables/name/test-health returns 404 (Not Found)
The 404 response confirms the authentication middleware was bypassed and the request reached the application router.
Fix:
This issue has been fixed in version 3.6.22 by replacing suffix matching with an exact path check.
The fix was implemented here: [https://github.com/PrefectHQ/prefect/pull/21063](https://github.com/PrefectHQ/prefect/pull/21063) |
|---|
| المصدر | ⚠️ https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 |
|---|
| المستخدم | nedlir (UID 95981) |
|---|
| ارسال | 17/04/2026 09:45 PM (2 أشهر منذ) |
|---|
| الاعتدال | 03/05/2026 11:18 AM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 360898 [PrefectHQ prefect حتى 3.6.21 Health Check API /api/health endswith توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|