Cyber Resilience

CVE-2026-3515

High

Published: 24 May 2026

Published
24 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3 8.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0030 21.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3515 is a high-severity Argument Injection (CWE-88) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without…

more

proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct command injection into git clone via unsanitized reference field enables exploitation of public-facing Prefect integration (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22583Shared CWE-88
CVE-2026-44193Shared CWE-88
CVE-2026-44450Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2024-47516Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2026-24126Shared CWE-88
CVE-2026-42284Shared CWE-88
CVE-2026-26514Shared CWE-88

Affected Assets

Prefect
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References