PT-2026-47582 — Stigmem-Node

PT-2026-47582 · Pypi · Stigmem-Node

Published

2026-05-29

Updated

2026-05-29

CVSS v4.0

7.3

High

Vector

AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Impact

A single configuration flag could disable plugin signature enforcement. If an operator unintentionally carried that setting into an environment where plugin paths are writable by less-trusted users, unsigned plugin code could be loaded.

Patches

Patched in 0.9.0a2. Disabling plugin signature enforcement now requires a second explicit acknowledgment value.

Workarounds

Before upgrading, keep plugin signing required in all shared or production environments and ensure plugin directories are not writable by untrusted users.

Upgrade

Upgrade to the patched release:

pip install --upgrade --pre stigmem-node

If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:

pip install --upgrade --pre 'stigmem[node]'

Resources

Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-494

Related Identifiers

GHSA-W7PM-9G55-MXFM

Affected Products

Stigmem-Node