Security Bulletin: Inngest TypeScript SDK Disclosure (CVE-2026-42047) — Not Technically Affected | System Status

Summary

On April 27, 2026, Inngest publicly disclosed CVE-2026-42047, a vulnerability in their TypeScript SDK that, under specific configuration conditions, could expose process environment variables via the SDK's serve endpoint diagnostic handler. Per the criteria published by Inngest, Atmos Pro was not technically affected: our serve endpoint runs under Next.js App Router with explicit per-method exports, the configuration Inngest names as inherently protected. Cloud Posse received embargoed advance notice ahead of public disclosure and, on April 20, 2026, upgraded the Inngest SDK to the fix version and rotated all Inngest integration credentials as part of the broader precautionary response described in our supply-chain response bulletin. Both actions were complete a week before public disclosure. No customer action is required.

Updates

April 27, 2026 — Initial publication, following Inngest's public disclosure.

Who Is Impacted

Based on the evaluation criteria published by Inngest and our review of how the Inngest SDK is integrated into Atmos Pro, no Atmos Pro customers were technically exposed by this vulnerability. No additional customer-visible impact beyond the precautionary credential rotation described in our supply-chain response bulletin.

What We Know

Inngest has published CVE-2026-42047 covering a vulnerability in their TypeScript SDK affecting versions 3.22.0 through 3.53.1. The vulnerability could expose process environment variables via the SDK's diagnostic handler when the serve endpoint accepts certain HTTP methods (PATCH, OPTIONS, DELETE). The fix is shipped in SDK version 3.54.0.
Per the criteria published by Inngest, frameworks using explicit per-method HTTP mapping — Inngest names Next.js App Router specifically — were inherently protected. Atmos Pro's Inngest serve endpoint runs under Next.js App Router and explicitly exports only GET, POST, and PUT; the methods implicated by the disclosure are never routed to the Inngest SDK in our deployment.
Cloud Posse received embargoed advance notice of this CVE ahead of public disclosure. On April 20, 2026 — a week before public disclosure — we upgraded the Inngest TypeScript SDK from a version within the affected range to the 3.54.0 fix version, and rotated all Inngest integration credentials.
We have no evidence of unauthorized access to Cloud Posse systems, Atmos Pro infrastructure, or customer data related to this disclosure.

All actions below were completed under embargo on or before April 21, 2026 — a week before Inngest's April 27 public disclosure.

Upgraded the Inngest TypeScript SDK to the 3.54.0 fix version on April 20, 2026, moving off a version within the affected range as soon as we received embargoed advance notice. This is the upgrade Inngest's published bulletin recommends.
Rotated all Inngest integration credentials — including Inngest signing and event keys — as part of the broader precautionary response described in our supply-chain response bulletin. This matches the rotation guidance Inngest later published.
Reviewed the disclosure criteria against our deployment when Inngest went public on April 27, and confirmed our serve endpoint is configured the way Inngest names as inherently protected: it runs under Next.js App Router and explicitly exports only GET, POST, and PUT, so the methods implicated by the disclosure are never routed to the Inngest SDK. This architectural protection has been in place independent of the SDK upgrade.

Recommendations for Customers

No customer action is required at this time.

Indicators of Compromise

None observed in our systems.

Follow-Up

This bulletin complements our supply-chain response bulletin. No additional follow-up is planned at this time.

Summary

Who Is Impacted

What We Know

Inngest has published CVE-2026-42047 covering a vulnerability in their TypeScript SDK affecting versions 3.22.0 through 3.53.1. The vulnerability could expose process environment variables via the SDK's diagnostic handler when the serve endpoint accepts certain HTTP methods (PATCH, OPTIONS, DELETE). The fix is shipped in SDK version 3.54.0.

Per the criteria published by Inngest, frameworks using explicit per-method HTTP mapping — Inngest names Next.js App Router specifically — were inherently protected. Atmos Pro's Inngest serve endpoint runs under Next.js App Router and explicitly exports only GET, POST, and PUT; the methods implicated by the disclosure are never routed to the Inngest SDK in our deployment.

Cloud Posse received embargoed advance notice of this CVE ahead of public disclosure. On April 20, 2026 — a week before public disclosure — we upgraded the Inngest TypeScript SDK from a version within the affected range to the 3.54.0 fix version, and rotated all Inngest integration credentials.

We have no evidence of unauthorized access to Cloud Posse systems, Atmos Pro infrastructure, or customer data related to this disclosure.

All actions below were completed under embargo on or before April 21, 2026 — a week before Inngest's April 27 public disclosure.

Upgraded the Inngest TypeScript SDK to the 3.54.0 fix version on April 20, 2026, moving off a version within the affected range as soon as we received embargoed advance notice. This is the upgrade Inngest's published bulletin recommends.

Rotated all Inngest integration credentials — including Inngest signing and event keys — as part of the broader precautionary response described in our supply-chain response bulletin. This matches the rotation guidance Inngest later published.

Reviewed the disclosure criteria against our deployment when Inngest went public on April 27, and confirmed our serve endpoint is configured the way Inngest names as inherently protected: it runs under Next.js App Router and explicitly exports only GET, POST, and PUT, so the methods implicated by the disclosure are never routed to the Inngest SDK. This architectural protection has been in place independent of the SDK upgrade.