Remote Code Execution in Prefect by Prefect Technologies
CVE-2026-5366

9.9CRITICAL

Key Information:

Vendor: Prefecthq
Status: Prefecthq/prefect
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-5366?

Prefect version 3.6.23 is susceptible to remote code execution, primarily due to inadequate validation of user-controlled inputs within the GitRepository storage class. The issue stems from the commit_sha parameter, which is improperly processed without adequate safeguards, allowing attackers to inject arbitrary git commands. This vulnerability can enable the execution of unauthorized programs on worker machines, particularly in shared setups commonly associated with multi-tenant environments. Attackers with the permissions to create deployments can exploit this flaw, leading to potential system compromises.

Affected Version(s)

prefecthq/prefect <= unspecified

References

https://huntr.com/bounties/e2e88a0f-a8f6-49c9-94c5-e98dc3...

CVSS V3.0

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-5366 Data

JSON

Prefecthq

What is CVE-2026-5366?

Affected Version(s)

References

CVSS V3.0

Timeline