CVE-2026-7724: Time-of-check Time-of-use in PrefectHQ prefect
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AI Analysis
Technical Summary
This vulnerability affects PrefectHQ prefect up to version 3.6.28.dev1 in the validate_restricted_url function within the Webhook/Notification component. It is a TOCTOU race condition that could allow an attacker to manipulate the URL validation process. Exploitation is remote but considered difficult due to high attack complexity. The vulnerability has a CVSS 4.0 score of 2.3, indicating low severity. A patch identified by commit 7c70ac54a5e101431d83b9f2681ec88d5e0021ed is available in version 3.6.28.dev2.
Potential Impact
The vulnerability allows a remote attacker to exploit a TOCTOU race condition in URL validation, potentially bypassing restrictions. However, the low CVSS score and high attack complexity suggest limited impact and difficulty in exploitation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade PrefectHQ prefect to version 3.6.28.dev2 or later, which contains the patch for this vulnerability. No other mitigations are specifically indicated.
CVE-2026-7724: Time-of-check Time-of-use in PrefectHQ prefect
Description
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS v4.0
Score 2.3low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects PrefectHQ prefect up to version 3.6.28.dev1 in the validate_restricted_url function within the Webhook/Notification component. It is a TOCTOU race condition that could allow an attacker to manipulate the URL validation process. Exploitation is remote but considered difficult due to high attack complexity. The vulnerability has a CVSS 4.0 score of 2.3, indicating low severity. A patch identified by commit 7c70ac54a5e101431d83b9f2681ec88d5e0021ed is available in version 3.6.28.dev2.
Potential Impact
The vulnerability allows a remote attacker to exploit a TOCTOU race condition in URL validation, potentially bypassing restrictions. However, the low CVSS score and high attack complexity suggest limited impact and difficulty in exploitation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade PrefectHQ prefect to version 3.6.28.dev2 or later, which contains the patch for this vulnerability. No other mitigations are specifically indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-03T09:18:19.872Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f80d4bcbff5d86109fed88
Added to database: 5/4/2026, 3:06:51 AM
Last enriched: 5/4/2026, 3:21:19 AM
Last updated: 6/18/2026, 7:23:02 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.