CVE-2026-7725 | PrefectHQ prefect up to 3.6.25.dev6 GitRepository Pull storage.py commit_sha/directories argument injection

May 3, 2026 Yanac

A vulnerability categorized as critical has been discovered in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection.

This vulnerability is known as CVE-2026-7725. It is possible to launch the attack remotely. Furthermore, an exploit is available.

It is advisable to upgrade the affected component.VulDB Recent EntriesRead More