PT-2026-51006 · Doobidoo · Mcp-Memory-Service
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-49291
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at
/mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call store memory and delete memory through MCP even though the corresponding REST endpoints require write scope. Version 10.65.3 patches the issue.Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mcp-Memory-Service