जमा करें #807256: PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authenticationजानकारी

शीर्षक	PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication
विवरण	Vulnerability Report: Prefect Unauthenticated Event Injection Title: Prefect Unauthenticated Event Injection via /api/events/in WebSocket Product: Prefect (PrefectHQ/prefect) Affected Versions: 3.x prior to 3.6.14 CWE: CWE-306 (Missing Critical Step in Authentication) CVSS 3.1: 7.5 (High) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description: The /api/events/in WebSocket endpoint in Prefect Server fails to perform authentication or subprotocol validation, even when PREFECT_SERVER_API_AUTH_STRING is configured. While standard HTTP endpoints are protected by middleware, Starlette-based WebSocket upgrades bypass these middleware layers. The endpoint accepts any connection and directly publishes incoming JSON data to the internal event publisher. Impact: An unauthenticated attacker can open a WebSocket connection and inject arbitrary events into the Prefect ecosystem. These events are processed by the automations engine, which can trigger deployments, transition flow run states, pause schedules, or send notifications. This allows for significant unauthorized manipulation of the orchestration environment and pollutes the event log, compromising system integrity. Proof of Concept: 1. Confirm HTTP authentication is active (GET /api/flows returns 401). 2. Connect to ws://[target]:4200/api/events/in without providing credentials or a subprotocol. 3. Send a crafted JSON event. 4. Verify the event is successfully persisted and visible via the /api/events/filter endpoint. Fix: The issue was resolved in version 3.6.14 by routing the connection through the accept_prefect_socket() wrapper, which enforces the 'prefect' subprotocol and token-based authentication. The fix was implemented here: https://github.com/PrefectHQ/prefect/pull/20372
स्रोत	⚠️ https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f
उपयोगकर्ता	nedlir (UID 95981)
सबमिशन	17/04/2026 09:54 PM (2 महीनों पहले)
संयम	03/05/2026 11:18 AM (16 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	360899 [PrefectHQ prefect तक 3.6.13 WebSocket Endpoint /api/events/in कमजोर प्रमाणीकरण]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Might our Artificial Intelligence support you?

Check our Alexa App!