CVE-2026-42572 MEDIUM

CVE-2026-42572: Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`

Vendor Hatchet-Dev
Product hatchet
Weakness CWE-639 · IDOR
Published May 14, 2026
Last update May 15, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 15, 2026 Record updated