| 标题 | PrefectHQ Perfect <=3.6.21 Improper Authentication |
|---|
| 描述 | Vulnerability Report: Prefect Server Authentication Bypass
Title: Prefect Server Authentication Bypass via Insecure Health Check Suffix Matching
Product: Prefect (PrefectHQ/prefect)
Affected Versions: 3.x prior to 3.6.22
Condition: Occurs when PREFECT_SERVER_API_AUTH_STRING is enabled.
CWE: CWE-287, CWE-183
CVSS 3.1: 5.3 (Medium) - AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description:
The authentication middleware in affected versions of Prefect Server incorrectly uses a suffix matching check to exempt health probes from authentication. Specifically, the code uses .endswith(("health", "ready")) on the request path. This allows an unauthenticated attacker to bypass authentication for any GET request where the final path segment ends with "health" or "ready".
Impact:
This vulnerability allows unauthenticated access to sensitive metadata, including flow configurations, work pool details, and variable values (which may contain secrets), provided the resource name matches the exempted suffix.
Proof of Concept:
A request to a protected variable demonstrates the bypass:
- GET /api/variables/name/test returns 401 (Unauthorized)
- GET /api/variables/name/test-health returns 404 (Not Found)
The 404 response confirms the authentication middleware was bypassed and the request reached the application router.
Fix:
This issue has been fixed in version 3.6.22 by replacing suffix matching with an exact path check.
The fix was implemented here: [https://github.com/PrefectHQ/prefect/pull/21063](https://github.com/PrefectHQ/prefect/pull/21063) |
|---|
| 来源 | ⚠️ https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 |
|---|
| 用户 | nedlir (UID 95981) |
|---|
| 提交 | 2026-04-17 21時45分 (2 月前) |
|---|
| 管理 | 2026-05-03 11時18分 (16 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360898 [PrefectHQ prefect 直到 3.6.21 Health Check API /api/health endswith 弱身份验证] |
|---|
| 积分 | 20 |
|---|