CVE-2026-42572
Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39.
| CWE | CWE-639 CWE-863 |
| Vendor | hatchet-dev |
| Product | hatchet |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for hatchet-dev hatchet
Be the first to know when new medium vulnerabilities affecting hatchet-dev hatchet are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
hatchet-dev / hatchet
< 0.83.38