CVE-2026-42047
Published: 07 May 2026
Summary
CVE-2026-42047 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Inngest Inngest. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28441
Vulnerability details
Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve()…
more
HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of a public-facing HTTP handler (T1190) to directly retrieve environment variables containing credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Shielding or other emanation protections directly prevent sensitive information from reaching unauthorized actors via electromagnetic signals.
Minimizing PII in testing/training/research directly reduces the volume of sensitive data present in environments where it could be exposed to unauthorized actors.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
Concealment techniques directly prevent real sensitive data from being exposed to adversaries.
Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information.