Ctrl + K
/ news / CVE
CVEPublished 2026-06-02Modified 2026-06-030 articles on news5 live referencesNVD data

CVE-2026-3514Prefect · Prefect

Vulnerability data via NVD (ingested)

CVSS v3.1
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS percentile
Weaknesses (CWE)
CWE-863Incorrect Authorization
Description

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.

Timeline
Published 2026-06-02
Modified 2026-06-03

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag23 hosts
vuln:CVE-2026-3514
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Prefect Prefect"
All exposed Prefect Prefect instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Prefect"
HTTP body or banner mentions "Prefect" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-3514
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-3514
Censys host search filtered to this CVE id.
grep.app
CVE-2026-3514
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-3514
GitHub code search for direct mentions.
Google dork
"CVE-2026-3514" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (6)

CVE-2026-35146 repos
mooyoul/awesome-starsunknown
A curated list of my GitHub stars
★ 21·updated today
hugefiver/mystarsunknown
★ 16·updated today
Executioner1939/awesome-engineering-researchPython
Interesting Books, Articles and Videos
★ 8·updated today
oslook/n8n-workflowsunknown
4200 + Workflow Automation Templates are Grouped by Categories/Services for easy navigation
★ 6·updated 10mo ago
renaudallard/reolink_firmwaresPython
analysis of reolink firmwares
★ 2·updated 3mo ago
sanketny8/ai-daily-digestunknown
Auto-curated daily roundup of trending AI papers, blog posts, and discussions.
★ 1·updated today
We haven't classified any articles referencing CVE-2026-3514 yet. The external references above still apply.