AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-42572: Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a

mediumvulnerability

security

Source: NVD/CVE DatabaseMay 14, 2026CVE-2026-42572

Summary

Hatchet is a platform for managing background tasks (work done separately from main application logic), AI agents, and workflows at scale. Before version 0.83.39, a missing authorization check on one API endpoint (GET /api/v1/stable/dags/tasks) allowed any authenticated user to view task details from other organizations (tenants) on the same Hatchet instance by providing another tenant's identifier.

Solution / Mitigation

Update Hatchet to version 0.83.39 or later, where this vulnerability is fixed.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

high

Privileges Required

low

User Interaction

none

Disclosure Date

May 14, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedAgent

Taxonomy References

CWE (Weakness Type)

CWE-639 CWE-863

CAPEC (Attack Pattern)

CAPEC-122

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42572

First tracked: May 14, 2026 at 08:12 PM

Classified by LLM (prompt v3) · confidence: 85%