PT-2026-47568 — Stigmem-Node

PT-2026-47568 · Pypi · Stigmem-Node

Published

2026-05-29

Updated

2026-05-29

CVSS v4.0

9.2

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Impact

Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node to a non-loopback URL.

Patches

Patched in 0.9.0a2. The node now refuses unauthenticated operation outside loopback-only local development.

Workarounds

Before upgrading, keep authentication enabled for all non-local deployments and do not expose nodes with authentication disabled to untrusted networks.

Upgrade

Upgrade to the patched release:

pip install --upgrade --pre stigmem-node

If developers install through the Stigmem meta-package instead, they should use the matching extra for their deployments, for example:

pip install --upgrade --pre 'stigmem[node]'

Resources

Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md

Fix

Improper Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-862

Related Identifiers

GHSA-FP6W-8WPG-74G5

Affected Products

Stigmem-Node