PT-2026-47561 — Stigmem-Node

PT-2026-47561 · Pypi · Stigmem-Node

Published

2026-05-29

Updated

2026-05-29

CVSS v4.0

7.5

High

Vector

AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Impact

Postgres backend schema identifiers were interpolated into SQL strings. In the reviewed code path the schema value is operator-controlled, but the pattern was unsafe if future call sites allowed tenant or request-controlled schema names. Impacted users are operators using the Postgres backend in affected versions.

Patches

Patched in 0.9.0a2. Schema identifier handling now uses defensive identifier quoting and validation-oriented regression coverage.

Workarounds

Before upgrading, only configure Postgres schema names from trusted deployment configuration and do not derive schema names from request, tenant, header, or user input.

Upgrade

Upgrade to the patched release:

pip install --upgrade --pre stigmem-node

If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:

pip install --upgrade --pre 'stigmem[node]'

Resources

Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

GHSA-9PC9-4CRJ-MHPJ

Affected Products

Stigmem-Node