Exposure of Sensitive System Information to an Unauthorized Control Sphere Affecting inngest package, versions >=3.22.0 <3.54.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-INNGEST-16636302
- published11 May 2026
- disclosed5 May 2026
- creditbenhylak
Introduced: 5 May 2026
NewCVE-2026-42047 (opens in a new tab)How to fix?
Upgrade inngest to version 3.54.0 or higher.
Overview
inngest is an Official SDK for Inngest.com. Inngest is the reliability layer for modern applications. Inngest combines durable execution, events, and queues into a zero-infra platform with built-in observability.
Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the serve process. An attacker can access sensitive environment variables by sending unauthenticated HTTP requests using PATCH, OPTIONS, or DELETE methods to the affected endpoint. This is only exploitable if the serve endpoint is accessible via these HTTP methods in the application's framework or routing configuration.
Workaround
This vulnerability can be mitigated by restricting the serve endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT HTTP methods.