CVE-2026-42047

CVE-2026-42047 is a high-severity security vulnerability in inngest (npm), affecting versions >= 3.22.0, < 3.54.0. It is fixed in 3.54.0.

Summary

A vulnerability in the Inngest TypeScript SDK versions 3.22.0 through 3.53.1 allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler.

The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment.

Who is affected

An application is vulnerable if all of the following are true:

  • It uses inngest SDK version >= 3.22.0, <= 3.53.1 (inclusive)
  • Its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests.

Please check your framework's implementation for the serve handler (documentation) to asses whether it handles these HTTP methods. Common vulnerable configurations include:

  • Next.js Pages Router, which forwards all HTTP methods to the handler.
  • Express via app.use('/api/inngest', serve(...)), which routes PATCH and OPTIONS to the handler by default.

The following are not affected:

  • Next.js App Router handlers that explicitly export only GET, POST, and PUT.
  • Applications using the connect worker method.
  • SDK versions < 3.22.0 and >= 3.54.0, including all 4.x releases.

The vulnerability was responsibly disclosed by an Inngest user. At this time, there are no known reports of exploitation.

Additional recommendations

Users on platforms with long-lived deployments (e.g. Vercel, Cloudflare Workers) should be aware that prior deployments remain reachable at their immutable URLs and may continue to expose the vulnerability even after a new deployment is promoted. For example, Vercel offers security features such as "Deployment Protection" and the ability to delete older deployments which can help immediately mitigate impact.

For additional security, users can also adjust firewall or proxy rules to only allow requests to their serve endpoint from Inngest IP addresses available here: http://inngest.com/ips-v4, http://inngest.com/ips-v6

Workarounds

If upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods.

Resources

Credits

  • Ben Hylak - an independent security researcher, discovered and responsibly disclosed the vulnerability.

Impact

CVE-2026-42047 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.54.0); upgrading removes the vulnerable code path.

Affected versions

inngest (>= 3.22.0, < 3.54.0)

Security releases

inngest → 3.54.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  1. Upgrade to [email protected] or later. The fix is backwards compatible with the 3.x release line. The 4.x line is also unaffected.
  2. Rotate any secrets that were presence in environment variables (process.env) within affected environments including Inngest signing keys and event keys
  3. Search logs for any requests to your serve endpoints using the PATCH, OPTIONS, DELETE http methods to assess if any environment variables may have been exposed.

Frequently Asked Questions

  1. What is CVE-2026-42047? CVE-2026-42047 is a high-severity security vulnerability in inngest (npm), affecting versions >= 3.22.0, < 3.54.0. It is fixed in 3.54.0.
  2. How severe is CVE-2026-42047? CVE-2026-42047 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of inngest are affected by CVE-2026-42047? inngest (npm) versions >= 3.22.0, < 3.54.0 is affected.
  4. Is there a fix for CVE-2026-42047? Yes. CVE-2026-42047 is fixed in 3.54.0. Upgrade to this version or later.
  5. Is CVE-2026-42047 exploitable, and should I be worried? Whether CVE-2026-42047 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42047 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42047? Upgrade inngest to 3.54.0 or later.

Other vulnerabilities in inngest

Stop the waste.
Protect your environment with Kodem.