What happened
CVE-2026-5366 was published on 2026-06-20 (CVSS 9.9 Critical, CWE-94). Prefect version 3.6.23 and earlier improperly handles user-controlled input in the GitRepository storage class used to fetch code for ML/data pipeline execution. The commit_sha and directories parameters are passed to git subprocess calls without validation or a -- argument separator, allowing git flag injection (e.g., --upload-pack) that causes git to execute attacker-controlled external programs. The affected versions are listed as 'through latest', indicating no upstream patch was available at disclosure.
Why it matters
Prefect is a widely-used MLOps workflow orchestration platform. In shared or multi-tenant deployments — common in enterprise ML platforms — a low-privileged user (one who can only create deployments) can escalate to arbitrary code execution on the worker machine, potentially compromising all ML pipeline secrets, model artifacts, training data, and cloud credentials accessible to the worker.
Attack vector
An attacker with deployment-creation permissions passes a malicious commit_sha or directories parameter to Prefect's GitRepository storage class. Because these values are interpolated into git sub-process calls without a -- separator or input validation, the attacker can inject arbitrary git flags such as --upload-pack to execute external programs, achieving RCE on the worker machine
Affected systems
Prefect (prefecthq/prefect) ≤ 3.6.23
Mitigation
No patched version confirmed at time of disclosure; monitor https://huntr.com/bounties/e2e88a0f-a8f6-49c9-94c5-e98dc385f07a and the Prefect GitHub for a fix. Restrict deployment-creation permissions and avoid exposing shared work pools to untrusted users.