Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
stigmem-node: Anonymous access risk when auth is disabled outside local network
GHSA-fp6w-8wpg-74g5
Summary
If you're using stigmem-node and have disabled authentication, it's possible for anyone to access your data and settings from outside your local network. To fix this, update to the latest version of stigmem-node. If you can't update right now, keep authentication enabled for all non-local deployments and don't expose them to untrusted networks.
What to do
- Update stigmem-node to version 0.9.0a2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| PyPI | – | stigmem-node |
< 0.9.0a2 Fix: upgrade to 0.9.0a2
|
Original title
stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback
Original description
### Impact
Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node to a non-loopback URL.
### Patches
Patched in 0.9.0a2. The node now refuses unauthenticated operation outside loopback-only local development.
### Workarounds
Before upgrading, keep authentication enabled for all non-local deployments and do not expose nodes with authentication disabled to untrusted networks.
### Upgrade
Upgrade to the patched release:
```bash
pip install --upgrade --pre stigmem-node
```
If developers install through the Stigmem meta-package instead, they should use the matching extra for their deployments, for example:
```bash
pip install --upgrade --pre 'stigmem[node]'
```
### Resources
- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node to a non-loopback URL.
### Patches
Patched in 0.9.0a2. The node now refuses unauthenticated operation outside loopback-only local development.
### Workarounds
Before upgrading, keep authentication enabled for all non-local deployments and do not expose nodes with authentication disabled to untrusted networks.
### Upgrade
Upgrade to the patched release:
```bash
pip install --upgrade --pre stigmem-node
```
If developers install through the Stigmem meta-package instead, they should use the matching extra for their deployments, for example:
```bash
pip install --upgrade --pre 'stigmem[node]'
```
### Resources
- Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2
- Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35
- Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
osv CVSS4.0
9.9
Vulnerability type
CWE-285
Improper Authorization
CWE-862
Missing Authorization
- https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-fp6w-8wpg-74g5 URL
- https://github.com/eidetic-labs/stigmem Product
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35 URL
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md URL
- https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2 URL
Published: 29 May 2026 · Updated: 29 May 2026 · First seen: 29 May 2026