PT-2026-51006 · Doobidoo · Mcp-Memory-Service
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-49291
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at
/mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call store memory and delete memory through MCP even though the corresponding REST endpoints require write scope. Version 10.65.3 patches the issue.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mcp-Memory-Service