Critical Remote Code Execution Vulnerability in Prefect: CVE-2026-5366

Executive Summary

A critical vulnerability (CVE-2026-5366, CVSS 9.9) in Prefect version 3.6.23 allows remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. Any user with deployment creation permissions can exploit this flaw to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments. Immediate action is required to mitigate this vulnerability.

Technical Analysis

The vulnerability is caused by improper handling of user-controlled input in the `GitRepository` storage class. Specifically, the `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations.

How It Gets Exploited

An attacker with deployment creation permissions can exploit this vulnerability by sending a crafted request to the Prefect API. The attacker would need to provide a specially crafted `commit_sha` or `directories` parameter that injects arbitrary git flags. For example, an attacker could provide a `commit_sha` parameter that includes the `--upload-pack` flag, followed by a malicious command. When the Prefect worker processes the deployment, it would execute the malicious command, potentially leading to remote code execution.

Impact Assessment

Prefect version 3.6.23 is affected by this vulnerability. An attacker can achieve remote code execution on worker machines, compromising shared work pools in multi-tenant environments. The CVSS score for this vulnerability is 9.9, indicating a critical severity level.

Recommended Actions

To mitigate this vulnerability, it is recommended to update Prefect to a version that is not affected by this vulnerability. Additionally, users should ensure that only authorized users have deployment creation permissions and monitor their Prefect instances for suspicious activity.

Sources

- National Vulnerability Database (NVD) - Huntr