Skip to main content

Voltagent

1 CVEs product

Monthly

CVE-2026-13511 LOW POC PATCH Monitor

Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.

Authentication Bypass Voltagent
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.

Authentication Bypass Voltagent
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy