CVE-2026-5366 in prefect
Summary
by MITRE • 06/20/2026
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/21/2026
The vulnerability in Prefect version 3.6.23 represents a critical remote code execution flaw that stems from inadequate input validation within the GitRepository storage class. This security weakness manifests through improper handling of user-controlled parameters that are subsequently passed to git commands without proper sanitization or separation mechanisms. The primary attack vector involves the commit_sha parameter which directly influences git command execution, creating an environment where malicious input can be interpreted as command-line flags rather than simple commit identifiers.
The technical implementation of this vulnerability leverages the absence of a double dash separator -- in git command invocations, which is a fundamental security practice recommended by the git documentation and security standards. Without this separator, user input can be interpreted by git as additional command-line options, enabling attackers to inject malicious flags such as --upload-pack that can trigger arbitrary program execution. This particular flaw aligns with CWE-74 and CWE-78 categories, representing code injection vulnerabilities where external input is improperly incorporated into command execution contexts. The vulnerability also demonstrates characteristics of CWE-20, indicating improper input validation that allows malicious data to influence program behavior.
The operational impact of this vulnerability extends beyond simple command injection to encompass complete system compromise within multi-tenant environments. Any user possessing deployment creation permissions can exploit this flaw to execute arbitrary commands on worker machines, effectively bypassing traditional access controls and security boundaries. This is particularly dangerous in shared work pools where multiple tenants operate within the same infrastructure, as the compromise of one user's deployment can potentially affect all other users sharing the same worker nodes. The attack surface is further expanded by the directories parameter which can be manipulated during sparse-checkout operations, providing additional injection points for malicious git flags.
Security mitigation strategies must address both the immediate code-level fixes and broader architectural considerations for multi-tenant environments. The primary remediation involves implementing proper input validation and sanitization for all user-controlled parameters passed to git commands, including the mandatory use of -- separator to distinguish user input from command flags. Additionally, implementing strict parameter validation that rejects potentially dangerous input patterns and employing privilege separation techniques can significantly reduce the attack surface. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of successful exploitation, while the ATT&CK framework's T1059.001 technique for command and scripting interpreter should be monitored for anomalous execution patterns that might indicate exploitation attempts. The vulnerability underscores the importance of following security best practices such as those outlined in the OWASP Top Ten and NIST Cybersecurity Framework when developing and deploying containerized applications that interact with system-level commands.