CVE-2026-7723
Published: 04 May 2026
Summary
CVE-2026-7723 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing authentication by requiring explicit definition, authorization, and control of actions permitted without identification or authentication on the WebSocket endpoint.
Enforces approved access authorizations, ensuring the /api/events/in WebSocket endpoint requires authentication to block unauthorized remote manipulation.
Mandates timely flaw remediation, enabling upgrade to Prefect 3.6.14 to patch the specific authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public WebSocket endpoint (CWE-287/306) in internet-facing Prefect app directly enables unauthenticated remote exploitation for limited access, mapping to T1190.
NVD Description
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote.…
more
The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Deeper analysisAI
CVE-2026-7723 affects PrefectHQ's prefect software in versions up to and including 3.6.13. The vulnerability involves missing authentication in an unknown function within the /api/events/in file of the WebSocket Endpoint component, mapped to CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this issue, which has low complexity and can be performed over the network. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as unauthorized access to the WebSocket endpoint. A public exploit has been disclosed.
Advisories recommend upgrading to prefect version 3.6.14, which includes the fixing commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 via pull request #20372. The vendor was contacted early, responded professionally, and promptly released the patched version.
An exploit proof-of-concept is available in a public GitHub Gist, increasing the risk of real-world abuse against exposed prefect instances.
Details
- CWE(s)