PatchSiren cyber security CVE debrief
CVE-2026-3515 prefecthq CVE debrief
A command injection vulnerability exists in the `prefect-github` integration for Prefect version 3.6.18. The `GitHubRepository` block's `reference` field is unsafely concatenated into a shell command string before parsing with `shlex.split()`, enabling arbitrary git option injection. Attackers with control over the `reference` parameter can inject flags such as `-c` to execute arbitrary commands, potentially achieving SSRF, credential exfiltration, or RCE. The vulnerable code paths are `aget_directory()` and `get_directory()` in `src/integrations/prefect-github/prefect_github/repository.py`. The GitLab and BitBucket integrations are not affected, as they use safer list-based command construction.
- Vendor
- prefecthq
- Product
- prefecthq/prefect
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations running Prefect 3.6.18 with `prefect-github` integrations, particularly those exposing repository configuration to untrusted users or automated systems. DevOps teams managing CI/CD pipelines using Prefect flows with dynamic branch or tag selection should prioritize patching.
Technical summary
The `prefect-github` integration constructs git clone commands by string concatenation: the user-controlled `reference` field is interpolated directly into a command string that is subsequently parsed by `shlex.split()`. This pattern fails to prevent injection of git options. An attacker supplying a crafted `reference` value containing option delimiters can inject arbitrary git configuration flags (e.g., `-c core.sshCommand=...`), leading to arbitrary command execution on the Prefect worker. The vulnerability is confined to the GitHub integration; GitLab and BitBucket integrations use `subprocess` with list arguments, which prevents similar injection.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade `prefect-github` to a patched version when available; verify fix addresses both `get_directory()` and `aget_directory()` methods.
- Audit workflows using `GitHubRepository` blocks for untrusted `reference` field inputs; treat such inputs as potentially malicious.
- Implement input validation on `reference` fields to restrict allowed characters to valid git reference names (e.g., alphanumeric, hyphens, underscores, dots, slashes).
- Consider migrating to GitLab or BitBucket integrations if immediate patching is not feasible, as these use safer list-based command construction.
- Review application logs for suspicious git clone operations involving unexpected `-c` or other option flags in the `reference` parameter.
- Apply principle of least privilege to Prefect worker execution environments to limit impact of potential command injection.
Evidence notes
The vulnerability was reported via Huntr and is tracked in NVD with status 'Awaiting Analysis'. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) supports a HIGH severity rating. CWE-88 (Improper Neutralization of Argument Delimiters in a Command) is the assigned weakness. The vendor field is marked as 'Unknown Vendor' with low confidence and requires review; the reference domain candidate suggests Huntr as the disclosure platform.
Official resources
-
CVE-2026-3515 CVE record
CVE.org
-
CVE-2026-3515 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-24T05:16:39.167Z