CVE-2026-3515

A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper sanitization, and then parsed by shlex.split(). This enables injection of options such as -c, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the aget directory() and get directory() methods in src/integrations/prefect-github/prefect github/repository.py. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.