CVE-2026-49252 | deepstream is a server that allows clients and backend servi… | CVSS 9.9 CRITICAL

Description

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any record. This issue has been fixed in version 10.0.5.

Metadata

CVE ID: CVE-2026-49252
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-28 14:33 UTC
Published: 2026-06-18 20:01 UTC
Last updated: 2026-06-18 20:01 UTC
Primary CWE: CWE-1321
CWE-1321: Improperly Controlled Modification of Object Proto…
Vendor / Product: deepstreamIO / deepstream.io
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Affected products (1)

Vendor	Product	Platform	Versions
deepstreamIO	deepstream.io	—	< 10.0.5

Weakness (CWE)

CWE	Source	Description
CWE-1321	cna	CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

References (2)

https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6 https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6
https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44 https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44