Submit #807255: PrefectHQ Perfect <=3.6.21 Improper Authenticationinfo

TitelPrefectHQ Perfect <=3.6.21 Improper Authentication
BeschreibungVulnerability Report: Prefect Server Authentication Bypass Title: Prefect Server Authentication Bypass via Insecure Health Check Suffix Matching Product: Prefect (PrefectHQ/prefect) Affected Versions: 3.x prior to 3.6.22 Condition: Occurs when PREFECT_SERVER_API_AUTH_STRING is enabled. CWE: CWE-287, CWE-183 CVSS 3.1: 5.3 (Medium) - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Description: The authentication middleware in affected versions of Prefect Server incorrectly uses a suffix matching check to exempt health probes from authentication. Specifically, the code uses .endswith(("health", "ready")) on the request path. This allows an unauthenticated attacker to bypass authentication for any GET request where the final path segment ends with "health" or "ready". Impact: This vulnerability allows unauthenticated access to sensitive metadata, including flow configurations, work pool details, and variable values (which may contain secrets), provided the resource name matches the exempted suffix. Proof of Concept: A request to a protected variable demonstrates the bypass: - GET /api/variables/name/test returns 401 (Unauthorized) - GET /api/variables/name/test-health returns 404 (Not Found) The 404 response confirms the authentication middleware was bypassed and the request reached the application router. Fix: This issue has been fixed in version 3.6.22 by replacing suffix matching with an exact path check. The fix was implemented here: [https://github.com/PrefectHQ/prefect/pull/21063](https://github.com/PrefectHQ/prefect/pull/21063)
Quelle⚠️ https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04
Benutzer
 nedlir (UID 95981)
Einreichung17.04.2026 21:45 (vor 2 Monaten)
Moderieren03.05.2026 11:18 (16 days later)
StatusAkzeptiert
VulDB Eintrag360898 [PrefectHQ prefect bis 3.6.21 Health Check API /api/health endswith schwache Authentisierung]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!