Cyber Resilience

CVE-2026-7723

Medium

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 34.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7723 is a medium-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2026-7723 affects PrefectHQ's prefect software in versions up to and including 3.6.13. The vulnerability involves missing authentication in an unknown function within the /api/events/in file of the WebSocket Endpoint component, mapped to CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction to exploit this issue, which has low complexity and can be performed over the network. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as unauthorized access to the WebSocket endpoint. A public exploit has been disclosed.

Advisories recommend upgrading to prefect version 3.6.14, which includes the fixing commit f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 via pull request #20372. The vendor was contacted early, responded professionally, and promptly released the patched version.

An exploit proof-of-concept is available in a public GitHub Gist, increasing the risk of real-world abuse against exposed prefect instances.

EU & UK References

Vulnerability details

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote.…

more

The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on public WebSocket endpoint (CWE-287/306) in internet-facing Prefect app directly enables unauthenticated remote exploitation for limited access, mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306
CVE-2026-6126Shared CWE-287, CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements on the /api/events/in WebSocket endpoint, blocking the unauthenticated remote access described in the CVE.

prevent

Requires identification and authentication of services/endpoints before allowing access, directly mitigating the missing authentication flaw in the WebSocket component.

AC-17 Remote Access partial match
prevent

Mandates authentication and access controls for all remote connections, addressing the network-exposed unauthenticated WebSocket endpoint.

References