Back to list

Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds` — CVE-2026-42572

GHSA · GitHub · CVE-2026-42572

ID
CVE-2026-42572
Date
Updated
Activity
Source
GHSA
Vendor
GitHub
Threat
medium
CVSS
5.3

Summary

## Summary A missing authorization directive on the `GET /api/v1/stable/dags/tasks` endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This issue has been patched in **v0.83.39**. Hatchet…

Product

go: github.com/hatchet-dev/hatchet

What to do

General, cautious steps (verify details in the official source):

  • Review exposure and plan remediation based on risk and environment.
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GHSA 2026-W20