HomeCVE Intelligence › CVE-2026-42047
CVSS 8.6 HIGH Vulnerability

CVE-2026-42047: Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTT…

Summary A vulnerability in the Inngest TypeScript SDK versions 3.22.0 through 3.53.1 allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The se…

8.6CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-42047
Vendornpm
Affected Productinngest
Vulnerability TypeVulnerability
CVSS Score8.6 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary A vulnerability in the Inngest TypeScript SDK versions 3.22.0 through 3.53.1 allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment.

Who is affected An application is vulnerable if all of the following are true: - It uses inngest SDK version >= 3.22.0, = 3.54.0, including all 4.x releases. The vulnerability was responsibly disclose

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-42047 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence