PT-2026-47573 — Stigmem-Node

PT-2026-47573 · Pypi · Stigmem-Node

Published

2026-05-29

Updated

2026-05-29

CVSS v4.0

9.1

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Impact

Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and explicitly disabled mTLS while binding the node to a non-loopback URL.

Patches

Patched in 0.9.0a2. The node now refuses this configuration unless insecure federation is limited to loopback-only local development.

Workarounds

Before upgrading, operators should enable mTLS for federation or ensure federation endpoints are bound only to loopback/private test environments and are not reachable by untrusted networks.

Upgrade

Upgrade to the patched release:

pip install --upgrade --pre stigmem-node

If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:

pip install --upgrade --pre 'stigmem[node]'

Resources

Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-489

Related Identifiers

GHSA-JMFC-HFJQ-PXCP

Affected Products

Stigmem-Node