CVE-2026-42047

Name of the Vulnerable Software and Affected Versions Inngest versions 3.22.0 through 3.53.1

Description Unauthenticated remote attackers can exfiltrate environment variables from the host process via the 'serve()' HTTP handler. While the 'serve()' handler implements GET, POST, and PUT methods, requests using PATCH, OPTIONS, or DELETE are processed by a generic handler that returns diagnostic information. A change caused this diagnostic response to include the contents of process.env, exposing secrets, API keys, or credentials. Applications are vulnerable if the 'serve()' endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which occurs in certain configurations like Next.js Pages Router or Express using app.use().

Recommendations Update to version 3.54.0 or later. Rotate any secrets, including Inngest signing keys and event keys, that were present in process.env within affected environments. Restrict the 'serve()' endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT requests. Adjust firewall or proxy rules to allow requests to the 'serve()' endpoint only from Inngest IP addresses.