AIKIDO-2026-10980
mcp-memory-service is vulnerable to Missing Authentication for Critical Function
98
Critical Risk
This Affects:
mcp-memory-serviceTL;DR
All HTTP routes under /api/documents/* in mcp-memory-service are served without any authentication dependency, even when the server is configured with an API key (MCP_API_KEY) or OAuth. An unauthenticated remote attacker can upload arbitrary content into the memory store (write), retrieve stored document content (read), and permanently delete memories belonging to authenticated users (delete) — all without supplying any credentials. The /api/memories counterpart correctly enforces authentication, making this an inconsistent and exploitable authentication boundary.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mcp-memory-service is vulnerable to Missing Authentication for Critical Function in versions 0.0.1 - 10.67.0.
How to fix this
Upgrade the mcp-memory-service library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant