Authentication Bypass via Health Check Path Exemptions

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-3514 is an authentication bypass vulnerability in Prefect 3.6.19 that exploits improper URL path exemptions in the authentication middleware. The flaw allows attackers to bypass authentication by creating or accessing resources with names ending in 'health' or 'ready'—strings typically reserved for legitimate health check probes. This vulnerability matters because it undermines the entire authentication layer for critical resource management endpoints, including variables, flows, work pools, and work queues. Organizations running affected versions of Prefect are exposed to unauthorized access of sensitive workflow data and configuration, potentially affecting any infrastructure leveraging Prefect for orchestration and automation.

Casky's 261 mapped skills detect the attack patterns behind this CVE by analyzing indicators aligned with MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners would observe Casky's Claude-powered extended reasoning identifying suspicious patterns such as: requests to resource endpoints with 'health' or 'ready' suffixes from unauthenticated sources, anomalous access to sensitive variables or flow configurations without proper session tokens, and atypical resource creation attempts using health-check-like naming conventions. The platform's skill coverage enables detection of authentication evasion techniques, improper access control mechanisms, and path-based bypass attempts—allowing teams to pinpoint both the vulnerability mechanics and active exploitation attempts in their Prefect deployments before attackers establish persistent access.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-3514.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-3514

Casky has 261 skills that investigate the attack patterns behind CVE-2026-3514. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn