CVE-2026-42572

🗓️ 14 May 2026 16:58:43Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 6 Views🌐 WEB

CVE-2026-42572: Hatchet allowed cross-tenant task metadata access before 0.83.39; fixed.

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2026-42572	14 May 202616:58	–	attackerkb
CNNVD	hatchet 安全漏洞	14 May 202600:00	–	cnnvd
Cvelist	CVE-2026-42572 Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`	14 May 202616:58	–	cvelist
EUVD	EUVD-2026-30339	14 May 202616:58	–	euvd
Github Security Blog	Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`	6 May 202621:59	–	github
NVD	CVE-2026-42572	14 May 202618:16	–	nvd
OSV	GHSA-55GC-6FMC-FPX9 Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`	6 May 202621:59	–	osv
Positive Technologies	PT-2026-38279	6 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-42572	15 May 202619:57	–	redhatcve
Snyk	Authorization Bypass Through User-Controlled Key	6 May 202621:59	–	snyk

NVD

Vulners

Node

hatchet hatchetRange<0.83.39

[
  {
    "vendor": "hatchet-dev",
    "product": "hatchet",
    "versions": [
      {
        "version": "< 0.83.38",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/hatchet-dev/hatchet/security/advisories/GHSA-55gc-6fmc-fpx9

Parameter	Position	Path	Description	CWE
tenant_uuid	query param	/api/v1/stable/dags/tasks	Missing authorization for GET /api/v1/stable/dags/tasks allows cross-tenant access to task metadata by supplying another tenant's UUID and a DAG UUID belonging to that tenant.	CWE-863, CWE-639
dag_uuid	query param	/api/v1/stable/dags/tasks	Missing authorization for GET /api/v1/stable/dags/tasks allows cross-tenant access to task metadata by supplying another tenant's UUID and a DAG UUID belonging to that tenant.	CWE-863, CWE-639

27 May 2026 20:14Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3 - 6.5

EPSS0.00035

SSVC