A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVE-2026-7724
Score 5.0 from GitHub Security Advisory (severity: LOW) published 2026-05-04. NVD baseline CVSS 5.0; sources differ by 0.0.
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.0
- EG Score
- 5.0(medium)
- EPSS
- 16.2%
- KEV
- Not listed
Published
May 4, 2026
Last Modified
May 4, 2026
Advisory Details (6)
Auto-updated May 4, 2026Linear
https://linear.app/prefect/issue/OSS-7874/fix-dns-rebinding-toctou-bypass-in-validate-restricted-urlRelease 3.6.28.dev2: Nightly Development Release · PrefectHQ/prefect · GitHub
https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2Fix DNS rebinding TOCTOU bypass in `validate_restricted_url` by devin-ai-integration[bot] · Pull Request #21591 · PrefectHQ/prefect · GitHub
https://github.com/PrefectHQ/prefect/pull/21591Fix DNS rebinding TOCTOU bypass in `validate_restricted_url` (#21591) · PrefectHQ/prefect@7c70ac5 · GitHub
https://github.com/PrefectHQ/prefect/commit/7c70ac54a5e101431d83b9f2681ec88d5e0021edGitHub - PrefectHQ/prefect: Prefect is a workflow orchestration framework for building resilient data pipelines in Python. · GitHub
https://github.com/PrefectHQ/prefect/Vendor Advisories for CVE-2026-7724(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| prefect | 0.10.0 ... 3.6.9 (774 versions) | 3.6.28.dev2 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 12× in last 7d / 40× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-25 13:50 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
Show 51 moreShow fewer
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 06:39 UTCEG score recompute
- 2026-06-14 23:18 UTCEPSS rescore
- 2026-06-14 08:17 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-11 20:01 UTCEG score recompute
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-10 22:19 UTCEPSS rescore
- 2026-06-10 21:38 UTCEG score recompute
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-09 23:17 UTCEG score recompute
- 2026-06-08 22:53 UTCEG score recompute
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-07 23:22 UTCEG score recompute
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 01:01 UTCEG score recompute
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 02:39 UTCEG score recompute
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 03:44 UTCEG score recompute
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-04 05:23 UTCEG score recompute
- 2026-06-03 06:56 UTCEG score recompute
- 2026-06-02 20:13 UTCEPSS rescore
- 2026-06-02 08:28 UTCEG score recompute
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 10:06 UTCEG score recompute
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-26 13:44 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-21 22:43 UTCEPSS rescore
- 2026-05-20 22:38 UTCEPSS rescore
- 2026-05-20 14:39 UTCEG score recompute
- 2026-05-20 14:39 UTCGHSA enrichment
- 2026-05-20 11:22 UTCEPSS rescore
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-7724?
When was CVE-2026-7724 disclosed?
Is CVE-2026-7724 actively exploited?
What is the CVSS score of CVE-2026-7724?
How do I remediate CVE-2026-7724?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-7724
Is Your Infrastructure Affected by CVE-2026-7724?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.