CVE-2026-7722
PrefectHQ prefect Health Check API health endswith improper authentication
CVSS Score
5.3
EPSS Score
0.1%
EPSS Percentile
22th
A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
| CWE | CWE-287 |
| Vendor | prefecthq |
| Product | prefect |
| Published | May 4, 2026 |
| Last Updated | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for prefecthq prefect
Be the first to know when new medium vulnerabilities affecting prefecthq prefect are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
PrefectHQ / prefect
3.6.0 3.6.1 3.6.2 3.6.3 3.6.4 3.6.5 3.6.6 3.6.7 3.6.8 3.6.9 3.6.10 3.6.11 3.6.12 3.6.13 3.6.14 3.6.15 3.6.16 3.6.17 3.6.18 3.6.19 3.6.20 3.6.21
References
vuldb.com: https://vuldb.com/vuln/360898 vuldb.com: https://vuldb.com/vuln/360898/cti vuldb.com: https://vuldb.com/submit/807255 gist.github.com: https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 github.com: https://github.com/PrefectHQ/prefect/pull/21063 github.com: https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 github.com: https://github.com/PrefectHQ/prefect/releases/tag/3.6.22 github.com: https://github.com/PrefectHQ/prefect/
Credits
๐ nedlir (VulDB User) VulDB CNA Team