Atmos Pro Logo

Atmos Pro

ProductPricingDocsBlogChangelog
Create Workspace
← Back to Incidents
security

Security Bulletin: Inngest TypeScript SDK Disclosure (CVE-2026-42047) — Not Technically Affected

Occurred: 2026-04-20 at 00:00 UTC
Resolved: 2026-04-21 at 00:00 UTC
Author: erik
Atmos Pro Logo

Atmos Pro

The fastest way to deploy your apps on AWS with Terraform and GitHub Actions.

GitHubTwitterLinkedInYouTubeSlack

For Developers

  • Quick Start
  • Example Workflows
  • Atmos Documentation

Community

  • Register for Office Hours
  • Join the Slack Community
  • Try our Newsletter

Company

  • About Cloud Posse
  • Security
  • Pricing
  • Blog
  • Media Kit

Legal

  • SaaS Agreement
  • Terms of Use
  • Privacy Policy
  • Disclaimer
  • Cookie Policy

© 2026 Cloud Posse, LLC. All rights reserved.

Checking status...

Summary

On April 27, 2026, Inngest publicly disclosed CVE-2026-42047, a vulnerability in their TypeScript SDK that, under specific configuration conditions, could expose process environment variables via the SDK's serve endpoint diagnostic handler. Per the criteria published by Inngest, Atmos Pro was not technically affected: our serve endpoint runs under Next.js App Router with explicit per-method exports, the configuration Inngest names as inherently protected. Cloud Posse received embargoed advance notice ahead of public disclosure and, on April 20, 2026, upgraded the Inngest SDK to the fix version and rotated all Inngest integration credentials as part of the broader precautionary response described in our supply-chain response bulletin. Both actions were complete a week before public disclosure. No customer action is required.

Updates

  • April 27, 2026 — Initial publication, following Inngest's public disclosure.

Who Is Impacted

Based on the evaluation criteria published by Inngest and our review of how the Inngest SDK is integrated into Atmos Pro, no Atmos Pro customers were technically exposed by this vulnerability. No additional customer-visible impact beyond the precautionary credential rotation described in our supply-chain response bulletin.

What We Know

  • Inngest has published CVE-2026-42047 covering a vulnerability in their TypeScript SDK affecting versions 3.22.0 through 3.53.1. The vulnerability could expose process environment variables via the SDK's diagnostic handler when the serve endpoint accepts certain HTTP methods (PATCH, OPTIONS, DELETE). The fix is shipped in SDK version 3.54.0.
  • Per the criteria published by Inngest, frameworks using explicit per-method HTTP mapping — Inngest names Next.js App Router specifically — were inherently protected. Atmos Pro's Inngest serve endpoint runs under Next.js App Router and explicitly exports only GET, , and ; the methods implicated by the disclosure are never routed to the Inngest SDK in our deployment.
All actions below were completed under embargo on or before April 21, 2026 — a week before Inngest's April 27 public disclosure.
  • Upgraded the Inngest TypeScript SDK to the 3.54.0 fix version on April 20, 2026, moving off a version within the affected range as soon as we received embargoed advance notice. This is the upgrade Inngest's published bulletin recommends.
  • Rotated all Inngest integration credentials — including Inngest signing and event keys — as part of the broader precautionary response described in our supply-chain response bulletin. This matches the rotation guidance Inngest later published.
  • Reviewed the disclosure criteria against our deployment when Inngest went public on April 27, and confirmed our serve endpoint is configured the way Inngest names as inherently protected: it runs under Next.js App Router and explicitly exports only GET, POST, and PUT, so the methods implicated by the disclosure are never routed to the Inngest SDK. This architectural protection has been in place independent of the SDK upgrade.

Recommendations for Customers

No customer action is required at this time.

Indicators of Compromise

None observed in our systems.

Follow-Up

This bulletin complements our supply-chain response bulletin. No additional follow-up is planned at this time.
POST
PUT
  • Cloud Posse received embargoed advance notice of this CVE ahead of public disclosure. On April 20, 2026 — a week before public disclosure — we upgraded the Inngest TypeScript SDK from a version within the affected range to the 3.54.0 fix version, and rotated all Inngest integration credentials.
  • We have no evidence of unauthorized access to Cloud Posse systems, Atmos Pro infrastructure, or customer data related to this disclosure.