| Название | PrefectHQ Perfect <=3.6.21 Improper Authentication |
|---|
| Описание | Vulnerability Report: Prefect Server Authentication Bypass
Title: Prefect Server Authentication Bypass via Insecure Health Check Suffix Matching
Product: Prefect (PrefectHQ/prefect)
Affected Versions: 3.x prior to 3.6.22
Condition: Occurs when PREFECT_SERVER_API_AUTH_STRING is enabled.
CWE: CWE-287, CWE-183
CVSS 3.1: 5.3 (Medium) - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description:
The authentication middleware in affected versions of Prefect Server incorrectly uses a suffix matching check to exempt health probes from authentication. Specifically, the code uses .endswith(("health", "ready")) on the request path. This allows an unauthenticated attacker to bypass authentication for any GET request where the final path segment ends with "health" or "ready".
Impact:
This vulnerability allows unauthenticated access to sensitive metadata, including flow configurations, work pool details, and variable values (which may contain secrets), provided the resource name matches the exempted suffix.
Proof of Concept:
A request to a protected variable demonstrates the bypass:
- GET /api/variables/name/test returns 401 (Unauthorized)
- GET /api/variables/name/test-health returns 404 (Not Found)
The 404 response confirms the authentication middleware was bypassed and the request reached the application router.
Fix:
This issue has been fixed in version 3.6.22 by replacing suffix matching with an exact path check.
The fix was implemented here: [https://github.com/PrefectHQ/prefect/pull/21063](https://github.com/PrefectHQ/prefect/pull/21063) |
|---|
| Источник | ⚠️ https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 |
|---|
| Пользователь | nedlir (UID 95981) |
|---|
| Представление | 17.04.2026 21:45 (2 месяцы назад) |
|---|
| Модерация | 03.05.2026 11:18 (16 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 360898 [PrefectHQ prefect до 3.6.21 Health Check API /api/health endswith слабая аутентификация] |
|---|
| Баллы | 20 |
|---|