CVE-2026-49252: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in deepstreamIO deepstream.io
deepstream.io versions prior to 10.0.5 are affected by a Prototype Pollution vulnerability (CWE-1321) that allows an authenticated user with write permissions to any record to potentially escalate privileges. This vulnerability has a critical CVSS score of 9.9 and was fixed in version 10.0.5.
AI Analysis
Technical Summary
deepstream.io, a server for data synchronization, messaging, and RPCs, suffers from a Prototype Pollution vulnerability in versions before 10.0.5. This flaw allows improper modification of object prototype attributes, which can be exploited by any authenticated user with write access to escalate privileges. The vulnerability is tracked as CVE-2026-49252 and has a critical severity rating with a CVSS 3.1 score of 9.9. The issue has been resolved in deepstream.io version 10.0.5.
Potential Impact
Exploitation of this vulnerability can lead to privilege escalation from any authenticated user who has write permission to any record, potentially compromising confidentiality, integrity, and availability of the system. The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and low impact on availability.
Mitigation Recommendations
Upgrade deepstream.io to version 10.0.5 or later, where this Prototype Pollution vulnerability has been fixed. No other mitigation is specified or required once the update is applied.
CVE-2026-49252: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in deepstreamIO deepstream.io
Description
deepstream.io versions prior to 10.0.5 are affected by a Prototype Pollution vulnerability (CWE-1321) that allows an authenticated user with write permissions to any record to potentially escalate privileges. This vulnerability has a critical CVSS score of 9.9 and was fixed in version 10.0.5.
CVSS v3.1
Score 9.9critical
Affected software
pkg:github/deepstreamio/deepstream.ioRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
deepstream.io, a server for data synchronization, messaging, and RPCs, suffers from a Prototype Pollution vulnerability in versions before 10.0.5. This flaw allows improper modification of object prototype attributes, which can be exploited by any authenticated user with write access to escalate privileges. The vulnerability is tracked as CVE-2026-49252 and has a critical severity rating with a CVSS 3.1 score of 9.9. The issue has been resolved in deepstream.io version 10.0.5.
Potential Impact
Exploitation of this vulnerability can lead to privilege escalation from any authenticated user who has write permission to any record, potentially compromising confidentiality, integrity, and availability of the system. The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and high impact on confidentiality, integrity, and low impact on availability.
Mitigation Recommendations
Upgrade deepstream.io to version 10.0.5 or later, where this Prototype Pollution vulnerability has been fixed. No other mitigation is specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-28T14:33:01.179Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3456d1f198dc38c18207e6
Added to database: 6/18/2026, 8:36:33 PM
Last enriched: 6/18/2026, 8:50:00 PM
Last updated: 6/18/2026, 11:35:05 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.