{"id":"CVE-2026-42572","summary":"Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`","details":"Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39.","aliases":["GHSA-55gc-6fmc-fpx9","GO-2026-5134"],"modified":"2026-07-08T08:17:55.487003373Z","published":"2026-05-14T16:58:43.026Z","database_specific":{"cwe_ids":["CWE-639","CWE-863"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42572.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42572.json"},{"type":"ADVISORY","url":"https://github.com/hatchet-dev/hatchet/security/advisories/GHSA-55gc-6fmc-fpx9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42572"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hatchet-dev/hatchet","events":[{"introduced":"0"},{"fixed":"2c1e5e601ee5c9520d4096f397e23c4953c7a559"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:hatchet:hatchet:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.83.38"},{"fixed":"0.83.39"}]}}],"versions":["v0.83.37","v0.83.36","v0.83.35","v0.83.34","v0.83.33","v0.83.32","v0.83.31","v0.83.30","v0.83.29","v0.83.28","v0.83.27","v0.83.26","v0.83.25","v0.83.24","v0.83.23","v0.83.22","v0.83.21","v0.83.20","v0.83.19","v0.83.18","v0.83.17","v0.83.16","v0.83.15","v0.83.14","v0.83.13","v0.83.12","v0.83.10","v0.83.9","v0.83.8","v0.83.7","v0.83.6","v0.83.5","v0.83.4","v0.83.3","v0.83.2","v0.83.1","vscode/v0.1.2","v0.83.0","v0.82.3","v0.82.2","v0.82.1","v0.82.0","v0.81.4","v0.81.3","v0.81.2","vscode/v0.1.0","v0.81.1","v0.81.0","v0.80.10","v0.80.9","v0.80.8","v0.80.7","v0.80.6","v0.80.5","v0.80.4","v0.80.3","v0.80.2","v0.80.1","v0.80.0","v0.79.44","v0.79.43","v0.79.41","v0.79.40","v0.79.39","v0.79.38","v0.79.37","v0.79.35","v0.79.36","v0.79.34","v0.79.33","v0.79.32","v0.79.31","v0.79.30","v0.79.29","v0.79.28","v0.79.27","v0.79.26","v0.79.25","v0.79.24","v0.79.23","v0.79.22","v0.79.21","v0.79.20","v0.79.19","v0.79.18","v0.79.17","v0.79.16","v0.79.15","v0.79.14","v0.79.13","v0.79.12","v0.79.11","v0.79.10","v0.79.9","v0.79.8","v0.79.7","v0.79.6","v0.79.5","v0.79.4","v0.79.3","v0.79.2","v0.79.1","v0.79.0","v0.78.30","v0.78.29","v0.78.28","v0.78.27","v0.78.26","v0.78.25","v0.78.24","v0.78.23","v0.78.22","v0.78.21","v0.78.20","v0.78.19","v0.78.18","v0.78.17","v0.78.16","v0.78.15","v0.78.14","v0.78.13","v0.78.12","v0.78.11","v0.78.10","v0.78.9","v0.78.8","v0.78.7","v0.78.6","v0.78.5","v0.78.4","v0.78.3","v0.78.2","v0.78.1","v0.78.0","v0.77.37","v0.77.36","v0.77.35","v0.77.34","v0.77.33","v0.77.32","v0.77.31","v0.77.30","v0.77.29","v0.77.28","v0.77.27","v0.77.26","v0.77.25","v0.77.24","v0.77.23","v0.77.22","v0.77.21","v0.77.20","v0.77.18","v0.77.17","v0.77.16","v0.77.15","v0.77.13","v0.77.11","v0.77.10","v0.77.9","v0.77.8","v0.77.7","v0.77.6","v0.77.5","v0.77.4","v0.77.3","v0.77.2-alpha.5","v0.77.2-alpha.4","v0.77.2-alpha.3","v0.77.2-alpha.2","v0.77.2-alpha.1","v0.77.1","v0.77.0","v0.75.4","v0.75.3","v0.75.2","v0.75.1","v0.75.0","v0.74.14","v0.74.13","v0.74.12","v0.74.11","v0.74.9","v0.74.10","v0.74.8","v0.74.7","v0.74.6","v0.74.5","v0.74.4","v0.74.3","v0.74.2","v0.74.1","v0.73.112","v0.73.111","v0.73.110","v0.73.109","v0.73.108","v0.73.107","v0.73.106","v0.73.104","v0.73.103","v0.73.102","v0.73.101","v0.73.99","v0.73.100","v0.73.98","v0.73.97","v0.73.96","v0.73.95","v0.73.94","v0.73.93","v0.73.92","v0.73.91","v0.73.90","v0.73.89","v0.73.88","v0.73.87","v0.73.86","v0.73.85","v0.73.84","v0.73.83","v0.73.82","v0.73.81","v0.73.80","v0.73.79","v0.73.78","v0.73.77","v0.73.76","v0.73.75","v0.73.74","v0.73.72","v0.73.73","v0.73.71","v0.73.70","v0.73.68","v0.73.67","v0.73.66","v0.73.65","v0.73.64","v0.73.63","v0.73.62","v0.73.61","v0.73.60","v0.73.59","v0.73.58","v0.73.56","v0.73.55","v0.73.54","v0.73.53","v0.73.52","v0.73.51","v0.73.50","v0.73.49","v0.73.48","v0.73.47","v0.73.46","v0.73.45","v0.73.44","v0.73.43","v0.73.42","v0.73.41","v0.73.40","v0.73.40-alpha.0","v0.73.39","v0.73.38","v0.73.37","v0.73.36","v0.73.35","v0.73.34","v0.73.33","v0.73.32","v0.73.31","v0.73.30","v0.73.29","v0.73.28","v0.73.26","v0.73.25","v0.73.24","v0.73.23","v0.73.22","v0.73.21","v0.73.20","v0.73.19","v0.73.18","v0.73.15","v0.73.17","v0.73.16","v0.73.14","v0.73.13","v0.73.12","v0.73.11","v0.73.10","v0.73.9","v0.73.8","v0.73.7","v0.73.6","v0.73.5","v0.73.4","v0.73.3","v0.73.2","v0.73.1","v0.73.0","v0.72.8","v0.72.7","v0.72.6","v0.72.5","v0.72.4","v0.72.3","v0.72.2","v0.72.1","v0.72.0","v0.71.15","v0.71.14","v0.71.13","v0.71.12","v0.71.11","v0.71.10","v0.71.9","v0.71.8","v0.71.8-alpha.0","v0.71.7","v0.71.6","v0.71.5","v0.71.4","v0.71.3","v0.71.2","v0.71.1","v0.71.0","v0.70.7","v0.70.6","v0.70.5","v0.70.4","v0.70.3","v0.70.2","v0.70.1","v0.70.0","v0.69.9","v0.69.8","v0.69.7","v0.69.6","v0.69.5","v0.69.4","v0.69.3","v0.69.2","v0.69.1","v0.68.10","v0.68.9","v0.68.8","v0.68.7","v0.68.6","v0.69.0","v0.68.5","v0.68.4","v0.68.3","v0.68.2","v0.68.1","v0.68.0","v0.67.8","v0.67.7","v0.67.6","v0.67.5","v0.67.4","v0.67.3","v0.67.2","v0.67.1","v0.67.0","v0.66.8","v0.66.7","v0.66.5","v0.66.4","v0.66.3","v0.66.2","v0.66.1","v0.66.0","v0.65.3","v0.65.2","v0.65.1","v0.65.0","v0.64.13","v0.64.12","v0.64.11","v0.64.10","v0.64.9","v0.64.8","v0.64.7","v0.64.6","v0.64.5","v0.64.4","v0.64.3","v0.64.2","v0.64.1","v0.64.0","v0.63.6","v0.63.5","v0.63.4","v0.63.3","v0.63.2","v0.63.1","v0.63.0","v0.62.7","v0.62.6","v0.62.5","v0.62.4","v0.62.3","v0.62.1","v0.62.0","v0.61.12","v0.61.11","v0.61.10","v0.61.9","v0.61.8","v0.61.7","v0.61.6","v0.61.4","v0.61.5","v0.61.3","v0.61.2","v0.61.1","v0.61.0","v0.60.5","v0.60.4","v0.60.3","v0.60.2","v0.60.1","v0.60.0","v0.59.5","v0.59.4","v0.59.3","v0.59.2","v0.59.1","v0.59.0","v0.58.11","v0.58.10","v0.58.9","v0.58.8","v0.58.7","v0.58.6","v0.58.5","v0.58.4","v0.58.3","v0.58.2","v0.58.1","v0.58.0","v0.57.1","v0.57.0","v0.56.4","v0.56.3","v0.56.2","v0.56.1","v0.56.0","v0.55.29","v0.55.28","v0.55.27","v0.55.26","v0.55.25","v0.55.24","v0.55.23","v0.55.22","v0.55.21","v0.55.20","v0.55.19","v0.55.18","v0.55.17","v0.55.15","v0.55.16","v0.55.14","v0.55.13","v0.55.12","v0.55.9","v0.55.8","v0.55.7","v0.55.6","v0.55.5","v0.55.4","v0.55.3","v0.55.1","v0.55.0","v0.54.14","v0.54.13","v0.54.12","v0.54.10","v0.54.9","v0.52.6","v0.54.8","v0.54.7","v0.54.6","v0.54.5","v0.54.4","v0.54.3","v0.54.2","v0.54.1","v0.54.0","v0.53.15","v0.53.11","v0.53.10","v0.53.9","v0.53.8","v0.53.7","v0.53.6","v0.53.5","v0.53.4","v0.53.2","v0.53.1","v0.53.0","v0.52.12","v0.53.0-alpha.2","v0.52.11","v0.52.10","v0.52.9","v0.52.8","v0.52.7","v0.52.5","v0.52.4","v0.52.3","v0.52.2","v0.52.1","v0.52.0","v0.51.5","v0.51.4","v0.51.3","v0.51.2","v0.51.1","v0.51.0","v0.51.0-beta.2","v0.51.0-beta.1","v0.51.0-beta.0","v0.50.4","v0.50.3","v0.50.2","v0.50.1","v0.50.1-alpha.0","v0.50.0","v0.50.0-alpha.3","v0.50.0-alpha.2","v0.50.0-alpha.1","v0.50.0-alpha.0","v0.49.5-alpha.0","v0.49.4","v0.49.3","v0.49.2","v0.49.1","v0.49.1-alpha.0","v0.48.5","v0.48.4","v0.48.3","v0.48.2","v0.48.1","v0.48.0","v0.47.1","v0.47.0","v0.46.3","v0.46.2","v0.46.1","v0.46.0","v0.45.3","v0.45.2","v0.45.1","v0.45.0","v0.44.8","v0.44.7","v0.44.5","v0.44.4","v0.44.3","v0.44.2","v0.44.1","v0.44.0","v0.43.2","v0.43.1","v0.42.9","v0.43.0","v0.42.14","v0.42.13","v0.42.12","v0.42.11","v0.42.10","v0.42.6","v0.42.5","v0.42.4","v0.42.3","v0.42.2","v0.42.1","v0.42.0","v0.41.2","v0.41.1","v0.41.0","v0.40.0","v0.39.1","v0.39.0","v0.38.0","v0.37.0","v0.36.11","v0.36.10","v0.36.9","v0.36.8","v0.36.7","v0.36.6","v0.36.5","v0.36.4","v0.36.3","v0.36.1","v0.36.0","v0.35.1","v0.35.0","v0.34.5","v0.34.4","v0.34.3","v0.34.2","v0.34.1","v0.34.0","v0.33.2","v0.33.1","v0.33.0","v0.32.4","v0.32.3","v0.32.2","v0.32.1","v0.32.0","v0.32.0-alpha.0","v0.31.1","v0.31.0","v0.30.0","v0.28.9","v0.28.7","v0.28.8","v0.28.6","v0.28.5","v0.28.4","v0.28.3","v0.28.2","v0.28.1","v0.28.0","v0.27.2","v0.27.1","v0.27.0","v0.26.2","v0.26.1","v0.26.0","v0.25.2","v0.25.1","v0.25.0","v0.23.0","v0.22.4","v0.22.3","v0.22.2","v0.22.1","v0.22.0","v0.21.7","v0.21.6","v0.21.5","v0.21.4","v0.21.3","v0.21.2","v0.21.1","v0.21.0","v0.20.4","v0.20.3","v0.20.2","v0.20.1","v0.20.0","v0.19.5","v0.19.4","v0.19.3","v0.19.2","0.19.2","v0.18.1","v0.18.0","v0.17.3","v0.17.2","v0.17.1","v0.17.0","v0.16.2","v0.16.1","v0.16.0","v0.15.2","v0.15.1","v0.15.0","v0.14.2","v0.14.1","v0.14.0","v0.13.4","v0.13.3","v0.13.2","v0.13.1","v0.13.0","v0.12.0","v0.11.3","v0.11.2","v0.11.1","v0.11.0","v0.10.3","v0.10.2","v0.10.1","v0.10.0","v0.9.2","v0.9.1","v0.9.0","v0.7.0","v0.6.0","v0.5.0-alpha.0","v0.4.0-alpha.1","v0.4.0-alpha.0","v0.3.0-alpha.9","v0.3.0-alpha.8","v0.3.0-alpha.7","v0.3.0-alpha.6","v0.3.0-alpha.5","v0.3.0-alpha.4","v0.3.0-alpha.3","v0.3.0-alpha.2","v0.3.0-alpha.1","v0.1.0-alpha.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42572.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}