A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect...

CVE-2026-3515 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper sanitization, and then parsed by shlex.split(). This enables injection of options such as -c, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the aget_directory() and get_directory() methods in src/integrations/prefect-github/prefect_github/repository.py. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.

Basic information

Type
unreviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2026-05-26 13:30:29 UTC
Updated
2026-05-26 13:30:29 UTC
NVD published
2026-05-24

EPSS Score

Score Percentile
0.10% 26.14%

CVSS Scores

Base score Version Severity Vector
8.5 3.0
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-cw25-2p92-7f75 ↗
CVE CVE-2026-3515 ↗

CWEs

CWE id Name
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

References

cvelogic Threat Intelligence