Submit #807256: PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authenticationinfo

TitelPerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication
BeschreibungVulnerability Report: Prefect Unauthenticated Event Injection Title: Prefect Unauthenticated Event Injection via /api/events/in WebSocket Product: Prefect (PrefectHQ/prefect) Affected Versions: 3.x prior to 3.6.14 CWE: CWE-306 (Missing Critical Step in Authentication) CVSS 3.1: 7.5 (High) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description: The /api/events/in WebSocket endpoint in Prefect Server fails to perform authentication or subprotocol validation, even when PREFECT_SERVER_API_AUTH_STRING is configured. While standard HTTP endpoints are protected by middleware, Starlette-based WebSocket upgrades bypass these middleware layers. The endpoint accepts any connection and directly publishes incoming JSON data to the internal event publisher. Impact: An unauthenticated attacker can open a WebSocket connection and inject arbitrary events into the Prefect ecosystem. These events are processed by the automations engine, which can trigger deployments, transition flow run states, pause schedules, or send notifications. This allows for significant unauthorized manipulation of the orchestration environment and pollutes the event log, compromising system integrity. Proof of Concept: 1. Confirm HTTP authentication is active (GET /api/flows returns 401). 2. Connect to ws://[target]:4200/api/events/in without providing credentials or a subprotocol. 3. Send a crafted JSON event. 4. Verify the event is successfully persisted and visible via the /api/events/filter endpoint. Fix: The issue was resolved in version 3.6.14 by routing the connection through the accept_prefect_socket() wrapper, which enforces the 'prefect' subprotocol and token-based authentication. The fix was implemented here: https://github.com/PrefectHQ/prefect/pull/20372
Quelle⚠️ https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f
Benutzer
 nedlir (UID 95981)
Einreichung17.04.2026 21:54 (vor 2 Monaten)
Moderieren03.05.2026 11:18 (16 days later)
StatusAkzeptiert
VulDB Eintrag360899 [PrefectHQ prefect bis 3.6.13 WebSocket Endpoint /api/events/in schwache Authentisierung]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!