GHSA-84hp-mqvj-3p8h: mcp-memory-service: Missing Authentication on Document API Endpoints Allows Unauthenticated Memory Read/Write/Delete
Summary
mcp-memory-service has a critical authentication bypass vulnerability where all endpoints under `/api/documents/*` lack authentication checks, allowing unauthenticated attackers to read, write, and delete memories even when the server has API key or OAuth protection enabled. This is particularly dangerous because the `/api/memories` endpoints correctly enforce authentication, creating an inconsistent security boundary that attackers can exploit.
Vulnerability Details
EPSS: 0.0%
Yes
July 2, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-84hp-mqvj-3p8h
First tracked: July 2, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%