CVE-2026-7723: PrefectHQ Prefect WebSocket Lacks Authentication
The National Vulnerability Database has disclosed CVE-2026-7723, a high-severity (CVSS 7.3) authentication bypass flaw in PrefectHQ Prefect versions up to 3.6.13. This vulnerability resides within an unknown function of the /api/events/in WebSocket Endpoint component. An attacker can exploit this remotely due to missing authentication, potentially leading to unauthorized access or manipulation.
This isn’t a theoretical threat; an exploit has been publicly released, making it a high-priority target for adversaries. The vulnerability is categorized under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). Defenders need to recognize that public exploits drastically shorten the window for patching before active exploitation begins.
PrefectHQ has addressed this with a patch, identified as 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40. Organizations leveraging PrefectHQ Prefect should immediately upgrade to version 3.6.14 or later to mitigate this critical risk.
What This Means For You
- If your organization uses PrefectHQ Prefect, you need to prioritize patching to version 3.6.14 *now*. The public exploit means attackers are already looking for vulnerable instances. Don't wait for a breach to find out you're exposed.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7723: Prefect WebSocket Unauthenticated API Access
title: CVE-2026-7723: Prefect WebSocket Unauthenticated API Access
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects unauthenticated access to the Prefect WebSocket endpoint '/api/events/in' which is vulnerable in versions up to 3.6.13 due to CVE-2026-7723. This allows remote attackers to bypass authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7723/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/events/in'
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7723 | Auth Bypass | PrefectHQ prefect versions up to 3.6.13 |
| CVE-2026-7723 | Auth Bypass | Vulnerable endpoint: /api/events/in (WebSocket Endpoint) |
| CVE-2026-7723 | Patch | Upgrade to PrefectHQ prefect version 3.6.14 or apply patch 0d3ab3c2d3f9f98abfafdf7b9f6d4f8ed3925e40 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7724 — PrefectHQ Prefect Vulnerability
CVE-2026-7724 — A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification....
CVE-2026-7722 — PrefectHQ Prefect Vulnerability
CVE-2026-7722 — A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health...
CVE-2026-7721 — Totolink WA300 5.2cu.7112_B20190227 Command Injection
CVE-2026-7721 — A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the...