CVE-2026-5366
CriticalCVSS 9.9Exploitation Probability (EPSS)
Elevated risk55th percentile — higher than 55% of all known CVEs
Summary
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter lacks validation and does not include a `--` separator, allowing injection of arbitrary git flags like `--upload-pack` to execute external programs. The `directories` parameter can also be exploited to inject git flags during sparse-checkout operations.
Risk Assessment
The risk for the organization is that any user with deployment creation permissions can execute arbitrary commands on worker machines, potentially compromising shared work pools in multi-tenant environments and leading to privilege escalation.
Recommendation
Immediately upgrade Prefect to version 3.6.24 or later, which includes fixes for this vulnerability. Until the update is applied, restrict deployment creation permissions to trusted users only.
Original NVD description (English source)
Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.

