提交 #807256: PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication信息

标题	PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication
描述	Vulnerability Report: Prefect Unauthenticated Event Injection Title: Prefect Unauthenticated Event Injection via /api/events/in WebSocket Product: Prefect (PrefectHQ/prefect) Affected Versions: 3.x prior to 3.6.14 CWE: CWE-306 (Missing Critical Step in Authentication) CVSS 3.1: 7.5 (High) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description: The /api/events/in WebSocket endpoint in Prefect Server fails to perform authentication or subprotocol validation, even when PREFECT_SERVER_API_AUTH_STRING is configured. While standard HTTP endpoints are protected by middleware, Starlette-based WebSocket upgrades bypass these middleware layers. The endpoint accepts any connection and directly publishes incoming JSON data to the internal event publisher. Impact: An unauthenticated attacker can open a WebSocket connection and inject arbitrary events into the Prefect ecosystem. These events are processed by the automations engine, which can trigger deployments, transition flow run states, pause schedules, or send notifications. This allows for significant unauthorized manipulation of the orchestration environment and pollutes the event log, compromising system integrity. Proof of Concept: 1. Confirm HTTP authentication is active (GET /api/flows returns 401). 2. Connect to ws://[target]:4200/api/events/in without providing credentials or a subprotocol. 3. Send a crafted JSON event. 4. Verify the event is successfully persisted and visible via the /api/events/filter endpoint. Fix: The issue was resolved in version 3.6.14 by routing the connection through the accept_prefect_socket() wrapper, which enforces the 'prefect' subprotocol and token-based authentication. The fix was implemented here: https://github.com/PrefectHQ/prefect/pull/20372
来源	⚠️ https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f
用户	nedlir (UID 95981)
提交	2026-04-17 21時54分 (2 月前)
管理	2026-05-03 11時18分 (16 days later)
状态	已接受
VulDB条目	360899 [PrefectHQ prefect 直到 3.6.13 WebSocket Endpoint /api/events/in 弱身份验证]
积分	20

◂ 上一步一览下一步 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!