PT-2026-53766 · Pypi · Stigmem-Node

Published

2026-06-19

·

Updated

2026-06-19

CVSS v4.0

7.2

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

On a multi-tenant stigmem node, a caller holding a write credential for one tenant can run a decay sweep that acts on every tenant's facts. The candidate-selection queries in lifecycle/decay.py ( select ttl candidates, select confidence candidates) carried no tenant id predicate, and the caller's tenant was not threaded into the sweep or its async worker (run decay sweep / decay job worker), reached via POST /v1/decay/sweep.

Impact

A sweep with ttl seconds=0 expires all tenants' facts — cross-tenant data destruction (integrity and availability). A dry run sweep returns a global candidate count, acting as a cross-tenant existence/volume oracle (information disclosure).

Affected configurations

This is a cross-tenant break. It is exploitable only on deployments running the opt-in stigmem-plugin-multi-tenant (multiple tenants on one node). A default single-tenant node has only tenant="default" — there is no second tenant to cross — so it is not exploitable on default deployments. The rating is HIGH for the multi-tenant deployments the plugin exists to isolate.

Patches

Fixed in 0.9.0a12 (PR #728): identity.tenant id is threaded into run decay sweep and decay job worker, and AND tenant id = ? was added to the candidate selectors and the graph-sync. A tenant-B sweep now leaves tenant-A facts untouched, and dry run counts only the caller's tenant. The check fact query tenant scope.py CI guard was extended to scan lifecycle/ so this class cannot silently regress.

Workarounds

None other than upgrading to 0.9.0a12. Single-tenant deployments are unaffected.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-6GQW-JQV7-V88M

Affected Products

Stigmem-Node