DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6GQW-JQV7-V88M: GHSA-6GQW-JQV7-V88M: Multi-Tenant Isolation Bypass in stigmem-node via Missing SQL Tenant Predicates

#security #cve #cybersecurity #ghsa

GHSA-6GQW-JQV7-V88M: Multi-Tenant Isolation Bypass in stigmem-node via Missing SQL Tenant Predicates

Vulnerability ID: GHSA-6GQW-JQV7-V88M
CVSS Score: 7.2
Published: 2026-06-19

A critical vulnerability exists in the stigmem-node package when running the opt-in stigmem-plugin-multi-tenant plugin. Due to a failure to enforce tenant-scoping filters on database queries within the decay sweep, quarantine moderation, and right-to-be-forgotten (RTBF) subsystems, an authorized caller belonging to one tenant can access, modify, and delete facts belonging to all other tenants. This broken object level authorization (BOLA) vulnerability allows cross-tenant data manipulation and information leakage.

TL;DR

A multi-tenant isolation bypass in stigmem-node allows authenticated users of one tenant to read, modify, and delete data belonging to all other tenants due to a lack of SQL tenant_id filters in the decay, quarantine, and tombstone systems.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863 (Incorrect Authorization)
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 7.2 (High)
  • Impact: High (Integrity and Availability Compromise)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • stigmem-node running stigmem-plugin-multi-tenant
  • stigmem-node: < 0.9.0a12 (Fixed in: 0.9.0a12)

Exploit Details

  • GitHub Advisory: Official GHSA advisory details with reproduction concepts.

Mitigation Strategies

  • Upgrade to stigmem-node version 0.9.0a12 or later.
  • Set STIGMEM_MULTI_TENANT_ENABLED to false if multi-tenancy is not required.
  • Implement egress and access filters at the WAF level on decay and quarantine API routes.

Remediation Steps:

  1. Check the current running version of the stigmem-node package.
  2. Update requirements.txt or dependency lockfiles to target >=0.9.0a12.
  3. Restart the stigmem-node service to apply the code modifications.
  4. Validate database records to ensure no unauthorized expiration overrides have been written by external tenants.

References

Read the full report for GHSA-6GQW-JQV7-V88M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)