Hatchet Missing Authorization Vulnerability in Multi-Tenant Instances Allowing Cross-Tenant Information Disclosure

A vulnerability in Hatchet prior to version 0.83.39 allowed for cross-tenant information disclosure due to a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint. This omission caused the tenant-membership check to be bypassed, enabling users authenticated to any tenant to query the endpoint with another tenant's UUID and a DAG UUID belonging to that tenant. The response included sensitive task metadata for the queried DAG, such as workflow details and additional metadata that could contain user identifiers or customer IDs. The vulnerability affected multi-tenant Hatchet instances, with self-hosted users needing to upgrade to version 0.83.39 or later.

Impact

Exploitation of this vulnerability allowed for unauthorized access to task metadata from other tenants' DAGs, including sensitive information that could vary by deployment.

Remediation

Self-hosted users should upgrade to Hatchet version 0.83.39 or later. If an immediate upgrade is not possible, account creation can be restricted to control who can register on the instance, and the Hatchet API can be secured by not exposing it to untrusted networks.