Skip to main content

VoltAgent EUVDEUVD-2026-40008

| CVE-2026-13511 LOW
Improper Authorization (CWE-285)
2026-06-28 VulDB GHSA-9qqm-g68p-fhhp
1.3
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

Network-reachable API with authenticated user requirement (PR:L); high complexity to enumerate victim conversationId; impact limited to reading others' conversation data with no integrity or availability consequence.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 28, 2026 - 23:22 NVD
2.3 (LOW) 1.3 (LOW)
Source Code Evidence Fetched
Jun 28, 2026 - 23:21 vuln.today
Analysis Generated
Jun 28, 2026 - 23:21 vuln.today

DescriptionCVE.org

A vulnerability was determined in VoltAgent up to 2.1.17. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a manipulation of the argument conversationId can lead to improper authorization. The attack may be performed from remote. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

AnalysisAI

Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to VoltAgent instance
Delivery
Enumerate or guess victim's conversationId
Exploit
Craft GET request with victim conversationId
Execution
Submit to handleGetMemoryConversation endpoint
Persist
Bypass missing ownership check
Impact
Receive victim's private conversation history

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated session on the VoltAgent instance (PR:L per CVSS 4.0 - unauthenticated exploitation is not possible). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate and tightly scoped to multi-user VoltAgent deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated VoltAgent user enumerates or guesses a victim user's conversationId - feasible if IDs follow a predictable format or can be leaked through other API responses - then issues a GET request to the Memory REST API substituting the victim's conversationId, bypassing the missing ownership check in handleGetMemoryConversation and receiving the victim's private AI conversation history in the response. A proof-of-concept demonstrating this cross-user data access is publicly available at https://github.com/VoltAgent/voltagent/issues/1315, lowering the barrier to exploitation for authenticated users.
Remediation The upstream fix is the GitHub pull request #1317 at https://github.com/VoltAgent/voltagent/pull/1317, which binds Memory REST API operations to the authenticated user to prevent cross-user conversation access; however, this PR was pending acceptance at time of analysis and no patched tagged release version has been independently confirmed - monitor the VoltAgent repository at https://github.com/VoltAgent/voltagent/ for a release incorporating this PR and upgrade immediately when one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy