Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-2950

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Published: Mar 31, 2026 | Modified: Apr 07, 2026
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-2950
CWEhttps://cwe.mitre.org/data/definitions/1321.html

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

Weakness

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Affected Software

NameVendorStart VersionEnd Version
LodashLodash4.0.0 (including)4.17.23 (excluding)
Lodash-amdLodash4.0.0 (including)4.17.23 (excluding)
Lodash-esLodash4.0.0 (including)4.17.23 (excluding)
Lodash.unsetLodash4.0.0 (including)*
Red Hat Developer Hub 1.10RedHatrhdh/rhdh-hub-rhel9:1780930740*
Red Hat Hardened ImagesRedHatnodejs25-main-25.9.0-1.1.hum1*
Red Hat Hardened ImagesRedHatyarnpkg-main-1.22.22-18.1.hum1*
Red Hat Hardened ImagesRedHatnodejs20-main-20.20.2-1.hum1*
Node-lodashUbuntuesm-apps-legacy/xenial*
Node-lodashUbuntuesm-apps/bionic*
Node-lodashUbuntuesm-apps/focal*
Node-lodashUbuntuesm-apps/jammy*
Node-lodashUbuntuesm-apps/noble*
Node-lodashUbuntuesm-apps/resolute*
Node-lodashUbuntuesm-apps/xenial*
Node-lodashUbuntujammy*
Node-lodashUbuntunoble*
Node-lodashUbuntuquesting*
Node-lodashUbunturesolute*
Node-lodashUbuntuupstream*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use