CVE-2026-49252
Deferred Deferred - Pending Action

Prototype Pollution in deepstream

Vulnerability report for CVE-2026-49252, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
deepstream deepstream to 10.0.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in deepstream versions prior to 10.0.5 is a Prototype Pollution issue. This means that an attacker can manipulate the prototype of a base object, potentially altering the behavior of the application. In this case, any authenticated user with write permission to any record can exploit this vulnerability.

Exploitation of this vulnerability can lead to privilege escalation, allowing the attacker to gain higher-level permissions than originally granted.

Impact Analysis

This vulnerability can have a severe impact as it allows privilege escalation from any authenticated user with write access. An attacker could gain unauthorized elevated privileges, potentially leading to unauthorized access, data manipulation, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade deepstream to version 10.0.5 or later, where the Prototype Pollution issue has been fixed.

Additionally, restrict write permissions to records only to trusted authenticated users to reduce the risk of exploitation.

Compliance Impact

The vulnerability in deepstream prior to version 10.0.5 allows for prototype pollution which can lead to privilege escalation from any authenticated user with write permission. This could potentially result in unauthorized access or modification of sensitive data.

Such unauthorized access or data manipulation could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access.

However, specific impacts on compliance are not detailed in the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart