Description
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant, and receive task metadata for that DAG. This vulnerability is fixed in 0.83.39.
Problem types
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-863: Incorrect Authorization
Product status
References
github.com/...atchet/security/advisories/GHSA-55gc-6fmc-fpx9