Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Network-reachable HTTP endpoint, trivial JSON-RPC call (AC:L), requires a low-privileged read-scope OAuth token (PR:L), no user interaction; impact is write/delete of memories so I:H and A:H, no new confidentiality disclosure (C:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call store_memory and delete_memory through MCP even though the corresponding REST endpoints require write scope. Version 10.65.3 patches the issue.
AnalysisAI
Authorization bypass in doobidoo mcp-memory-service prior to 10.65.3 lets OAuth clients with only the read scope invoke mutating MCP tools such as store_memory and delete_memory via the /mcp JSON-RPC endpoint, despite the equivalent REST endpoints correctly enforcing the write scope. Authenticated read-only clients can therefore tamper with or destroy memory entries used by downstream AI applications. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid OAuth access token bearing the read scope for the target mcp-memory-service instance and network reachability to the HTTP /mcp JSON-RPC endpoint; the instance must be running a vulnerable version prior to 10.65.3 with the MCP HTTP interface enabled (it is the affected code path, distinct from the REST API). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (8.1 High) accurately reflects a network-reachable, low-complexity bypass that requires a low-privileged OAuth token and yields high integrity and availability impact with no confidentiality loss - consistent with an attacker overwriting or deleting memories but not reading new data they could not already access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been legitimately issued an OAuth token with only the read scope - for example a third-party AI agent integration meant to query memories - sends a JSON-RPC tools/call request to /mcp invoking delete_memory or store_memory with attacker-chosen content. Because the endpoint only verifies the read scope, the call succeeds and the attacker can wipe stored memories or poison them with adversarial content that downstream LLM consumers will later retrieve. … |
| Remediation | Vendor-released patch: upgrade mcp-memory-service to 10.65.3 or later via pip (pip install --upgrade mcp-memory-service>=10.65.3), as confirmed by GHSA-2r68-g678-7qr3 and the PyPI release at https://pypi.org/project/mcp-memory-service/10.65.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running doobidoo mcp-memory-service versions prior to 10.65.3; audit OAuth token scopes and /mcp endpoint access for read-only credentials. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mcp Memory Service
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38058
GHSA-2r68-g678-7qr3