Voltagent
Monthly
Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.
Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.