CVE-2026-7723

High

Published: 04 May 2026

Published

04 May 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0011 29.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote.…

The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly addresses the missing authentication by requiring explicit definition, authorization, and control of actions permitted without identification or authentication on the WebSocket endpoint.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, ensuring the /api/events/in WebSocket endpoint requires authentication to block unauthorized remote manipulation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, enabling upgrade to Prefect 3.6.14 to patch the specific authentication bypass vulnerability.

Security SummaryAI

CVE-2026-7723 affects PrefectHQ's prefect software in versions up to and including 3.6.13. The vulnerability involves missing authentication in an unknown function within the /api/events/in file of the WebSocket Endpoint component, mapped to CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this issue, which has low complexity and can be performed over the network. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as unauthorized access to the WebSocket endpoint. A public exploit has been disclosed.

Advisories recommend upgrading to prefect version 3.6.14, which includes the fixing commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 via pull request #20372. The vendor was contacted early, responded professionally, and promptly released the patched version.

An exploit proof-of-concept is available in a public GitHub Gist, increasing the risk of real-world abuse against exposed prefect instances.

Details

CWE(s): CWE-287 CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authentication on public WebSocket endpoint (CWE-287/306) in internet-facing Prefect app directly enables unauthenticated remote exploitation for limited access, mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f
cna@vuldb.com
https://github.com/PrefectHQ/prefect/
cna@vuldb.com
https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6
cna@vuldb.com
https://github.com/PrefectHQ/prefect/pull/20372
cna@vuldb.com
https://github.com/PrefectHQ/prefect/releases/tag/3.6.14
cna@vuldb.com
https://vuldb.com/submit/807256
cna@vuldb.com
https://vuldb.com/vuln/360899
cna@vuldb.com
https://vuldb.com/vuln/360899/cti
cna@vuldb.com