← volver
CVE-2026-42572

Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`

CVSS 5.3 MEDIUMEPSS 0.2%CWE-639CWE-863
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
14 may 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Productos afectados
hatchet-dev · hatchet