HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-5366Published Modified CNA @huntr_ai

CVE-2026-5366: Git Argument Injection in prefecthq/prefect

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the `GitRepository` storage class. The `commit_sha` parameter, which is passed to git commands, lacks validation and does not include a `--` separator to distinguish user input from git flags. This allows attackers to inject arbitrary git flags, such as `--upload-pack`, enabling execution of external programs. Additionally, the `directories` parameter can be exploited to inject git flags during sparse-checkout operations. These vulnerabilities allow any user with deployment creation permissions to execute arbitrary commands on worker machines, compromising shared work pools in multi-tenant environments.

Metrics

CVSS v3.0
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An argument injection vulnerability in Prefect version 3.6.23 allows remote code execution through the GitRepository storage class. The flaw exists because the commit_sha and directories parameters are passed directly to git commands without validation or a -- separator, letting an attacker inject arbitrary git flags such as --upload-pack to launch external programs. This is reachable over the network by any authenticated user with deployment creation permissions, and successful exploitation gives the attacker arbitrary command execution on worker machines. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-5366 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the prefecthq/prefect package. Any image found to carry a vulnerable version of Prefect is flagged immediately in the affected registry or CI pipeline scan.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and applies per-environment compliance policy weighting to determine priority and escalation path. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

No upstream fix version has been published for CVE-2026-5366. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Prefect API endpoint is exposed over the network, so an attacker must be able to reach the service remotely to inject malicious parameters.

  • AuthenticationRequired

    Any low-privilege account with deployment creation permissions is sufficient; no administrator or privileged role is needed.

  • Victim interactionNot required

    No user interaction is needed; the attacker supplies malicious input directly through the API.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to inject the malicious git flag.

Blast Radius

  • Executes arbitrary commands on worker machines by injecting git flags that spawn external programs during repository fetch operations.
  • Reads secrets, credentials, and environment variables accessible to the worker process, including those used to authenticate against downstream services.
  • Modifies or destroys data reachable by the worker, including persisted deployment configs, result storage, and shared work-pool state.
  • Compromises the entire shared work pool in multi-tenant environments, meaning one malicious tenant can affect workloads belonging to other tenants on the same pool.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-5366, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment prefecthq publishes a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and open a PR against affected workloads automatically. In the interim, compensating controls available within HarborGuard policy include flagging any image carrying Prefect 3.6.23 as policy-failing and blocking it from promotion to production registries. Outside HarborGuard, security teams should consider restricting deployment creation permissions to trusted principals only, isolating worker machines from internal network segments they do not need to reach, and applying egress filtering on worker hosts to limit what external programs can be contacted even if a flag injection succeeds.

See how HarborGuard automates this
Affected packages
  • prefecthq / prefecthq/prefect
    ≤ latest
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References