How is CVE-2026-46509 exploited?

Network reachability (required): The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed. Authentication (not-required): No credentials or session token are needed; PR:N confirms the attacker can interact with the vulnerable code path anonymously. Victim interaction (not-required): No user action such as clicking a link or opening a file is needed; UI:N means the attacker can complete the exploit entirely on their own. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-46509?

Attacker injects or overwrites properties on JavaScript object prototypes, silently altering shared application behavior across all objects that inherit from the polluted prototype. Attacker manipulates integrity-sensitive logic such as access-control checks, configuration flags, or data-processing branches that read inherited prototype properties. Attacker triggers partial service disruption by corrupting prototype state in ways that cause unhandled exceptions or undefined behavior in dependent application code (CVSS A:L). Confidentiality impact is none (C:N), so direct data disclosure is not a consequence of this vulnerability.

Back to search

HIGHCVE-2026-46509Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-46509: deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Prototype pollution is a JavaScript vulnerability affecting the deepobj library (versions prior to 1.0.3). An unauthenticated remote attacker can reach it over the network with no authentication required, by supplying a crafted property path containing segments such as __proto__, constructor, or prototype to deepobj's get, set, or delete operations. Successful exploitation lets an attacker tamper with object prototype attributes shared across the application, corrupting application logic and causing partial service disruption. No fix version has been published upstream yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46509 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle the deepobj package directly or transitively. Any image in a connected registry or CI pipeline containing a deepobj version below 1.0.3 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.2 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. In the meantime, customers can use HarborGuard's policy controls to flag or block deployment of images containing the affected deepobj versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.
AuthenticationNot required
No credentials or session token are needed; PR:N confirms the attacker can interact with the vulnerable code path anonymously.
Victim interactionNot required
No user action such as clicking a link or opening a file is needed; UI:N means the attacker can complete the exploit entirely on their own.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

Attacker injects or overwrites properties on JavaScript object prototypes, silently altering shared application behavior across all objects that inherit from the polluted prototype.
Attacker manipulates integrity-sensitive logic such as access-control checks, configuration flags, or data-processing branches that read inherited prototype properties.
Attacker triggers partial service disruption by corrupting prototype state in ways that cause unhandled exceptions or undefined behavior in dependent application code (CVSS A:L).
Confidentiality impact is none (C:N), so direct data disclosure is not a consequence of this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-46509 has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment ranfdev ships a corrected deepobj release. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While awaiting the upstream fix, compensating controls are available through HarborGuard's policy engine: network-policy isolation can restrict which services are permitted to pass user-controlled input into deepobj property paths, and admission policies can block deployment of new images containing the affected version range. Customers should also audit application code to confirm that property paths passed to deepobj's get, set, and delete functions are never derived from untrusted user input, as the library's own advisory identifies this as the primary exploitation condition.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

ranfdev / deepobj
< 1.0.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

https://github.com/ranfdev/deepobj/security/advisories/GHSA-x7q7-fchv-8h2j