CVE-2026-42572: Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`

May 6, 2026

A missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet’s tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant’s UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG.

This issue has been patched in v0.83.39. Hatchet Cloud has been patched and requires no action from users. Self-hosted users should upgrade.

References

github.com/advisories/GHSA-55gc-6fmc-fpx9
github.com/hatchet-dev/hatchet
github.com/hatchet-dev/hatchet/security/advisories/GHSA-55gc-6fmc-fpx9
nvd.nist.gov/vuln/detail/CVE-2026-42572

Code Behaviors & Features

Detect and mitigate CVE-2026-42572 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →