Hey team! My company’s security software has identified a vulnerability in Prefect - are there plans to release a patch for this in the near future?

Thanks for reaching out, this is on our radar. However, we view this as a low severity vulnerability because it is prevented by CORS policies in modern browsers and only an issue when running

prefect server start

locally without proper security measures. You can track this reported issue here, which we anticipate addressing in the next month or so, based on its low severity as well as complexities associated with varying server environments, backwards compatibility, and necessary client changes. As you likely know, the Prefect Server API in the open source Prefect library is provided without auth. Prefect’s expectation that users will (i) subscribe to Prefect Cloud (with a generous “free forever” tier), which is hosted by Prefect and contains robust and secure auth mechanisms, or (ii) self-host and implement their own auth mechanism (some OSS users prefer to handle themselves). In short, for OSS Prefect Server, the security implementations for authorization, authentication, and security are the responsibility of the end-user. The Prefect Cloud API (that is hosted, maintained, and provided by Prefect) provides best practice authorization and authentication mechanisms. Kindly let us know if you have any further questions or if it would be helpful to arrange a short call with a representative of our Security team to discuss further. Thanks,