CVE-2026-42047 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 8, 2026
Inngest - Information Disclosure
Published: May 7, 2026Updated: May 8, 2026Remote Exploitable
Overview
Inngest 3.22.0 through 3.53.1 contains an information disclosure vulnerability caused by exposing process.env in diagnostic responses of serve() HTTP handler for PATCH, OPTIONS, or DELETE requests, letting unauthenticated remote attackers exfiltrate environment variables, exploit requires serve() endpoint reachable via these HTTP methods.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Unauthenticated attackers can exfiltrate sensitive environment variables, including secrets and API keys, leading to potential full system compromise.
Mitigation
Upgrade to version 3.54.0 or later; alternatively, restrict serve() endpoint to only accept GET, POST, and PUT requests at framework or reverse-proxy layer.
References
Related Resources
Details
- CVE ID
- CVE-2026-42047
- Severity
- High
- CVSS Score
- 8.6
- Type
- information_disclosure
- Status
- unconfirmed
CWE
- CWE-200
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N