CVE-2026-49252
Received Received - Intake
Prototype Pollution in deepstream

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49252
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
deepstream deepstream to 10.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in deepstream versions prior to 10.0.5 is a Prototype Pollution issue. This means that an attacker can manipulate the prototype of a base object, potentially altering the behavior of the application. In this case, any authenticated user with write permission to any record can exploit this vulnerability.

Exploitation of this vulnerability can lead to privilege escalation, allowing the attacker to gain higher-level permissions than originally granted.

Impact Analysis

This vulnerability can have a severe impact as it allows privilege escalation from any authenticated user with write access. An attacker could gain unauthorized elevated privileges, potentially leading to unauthorized access, data manipulation, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade deepstream to version 10.0.5 or later, where the Prototype Pollution issue has been fixed.

Additionally, restrict write permissions to records only to trusted authenticated users to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart