CVE-2026-7723
Published: 04 May 2026
Summary
CVE-2026-7723 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).
Deeper analysis
CVE-2026-7723 affects PrefectHQ's prefect software in versions up to and including 3.6.13. The vulnerability involves missing authentication in an unknown function within the /api/events/in file of the WebSocket Endpoint component, mapped to CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this issue, which has low complexity and can be performed over the network. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as unauthorized access to the WebSocket endpoint. A public exploit has been disclosed.
Advisories recommend upgrading to prefect version 3.6.14, which includes the fixing commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 via pull request #20372. The vendor was contacted early, responded professionally, and promptly released the patched version.
An exploit proof-of-concept is available in a public GitHub Gist, increasing the risk of real-world abuse against exposed prefect instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26877
Vulnerability details
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote.…
more
The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public WebSocket endpoint (CWE-287/306) in internet-facing Prefect app directly enables unauthenticated remote exploitation for limited access, mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements on the /api/events/in WebSocket endpoint, blocking the unauthenticated remote access described in the CVE.
Requires identification and authentication of services/endpoints before allowing access, directly mitigating the missing authentication flaw in the WebSocket component.
Mandates authentication and access controls for all remote connections, addressing the network-exposed unauthenticated WebSocket endpoint.