CVE-2026-5366

NONE EPSS 42.7%
Published Jun 20, 20261w ago · Modified Jun 22, 20261w ago
Find Similar
Published Jun 20, 2026 1w ago
Last Modified Jun 22, 2026 1w ago

Description

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.

Threat Intelligence

EPSS Exploit Probability
42.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

References 1

  • huntr.com https://huntr.com/bounties/e2e88a0f-a8f6-49c9-94c5-e98dc385f07a

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.