Skip to main content

claude-mem EUVDEUVD-2026-34828

| CVE-2026-11330 LOW
Use of Weak Hash (CWE-328)
2026-06-05 VulDB GHSA-5gvr-v6qv-h5mm
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 05, 2026 - 14:22 NVD
3.6 (LOW) 2.0 (LOW)
Source Code Evidence Fetched
Jun 05, 2026 - 14:17 vuln.today
Analysis Generated
Jun 05, 2026 - 14:17 vuln.today

DescriptionCVE.org

A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component.

AnalysisAI

Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in computeObservationContentHash, meaning different distributions of characters across memorySessionId, title, and narrative yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.

Technical ContextAI

The vulnerability exists in src/services/sqlite/observations/store.ts within the computeObservationContentHash function of the claude-mem project (CPE: cpe:2.3:a:thedotmack:claude-mem:*:*:*:*:*:*:*:*), a SQLite-backed memory/observation store likely used as a Model Context Protocol (MCP) memory server. The original implementation concatenated three string fields without separators - .update((memorySessionId || '') + (title || '') + (narrative || '')) - meaning the hash function receives indistinguishable input for tuples like ('session-abc', 'debug log', '') and ('session-ab', 'cdebug log', ''). The fix (commit f32fda8b, PR #1494) introduces null-byte delimiters between fields via .join('\x00'), eliminating boundary ambiguity. CWE-328 is assigned as 'Use of Weak Hash', though the underlying hash algorithm is not inherently weak - the flaw is more precisely a hash input construction error that enables preimage collisions. The accompanying test in tests/sqlite/data-integrity.test.ts confirms four previously-colliding tuples now produce distinct hashes post-patch.

RemediationAI

Upgrade to claude-mem version 12.0.0, which is the vendor-confirmed patched release available at https://github.com/thedotmack/claude-mem/releases/tag/v12.0.0. The fix is implemented in commit f32fda8b35e9fe9329f87da65c31149362a03f97 via PR #1494. If an immediate upgrade is not possible, restrict write access to the observation ingestion pathway to fully trusted, non-adversarial processes only - this reduces the probability that crafted field values could be submitted, but does not eliminate the underlying hash construction flaw and should not be treated as a permanent mitigation. The upgrade itself has no reported side effects and is the only confirmed resolution.

Share

EUVD-2026-34828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy