CVE-2026-11330 in claude-mem
Summary
by MITRE • 06/05/2026
A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability identified in thedotmack claude-mem up to version 11.0.1 represents a significant security weakness categorized as use of weak hash according to the Common Weakness Enumeration framework. This flaw exists within the computeObservationContentHash function located in the src/services/sqlite/observations/store.ts file, which serves as the Observation Content Hash Handler component. The weakness manifests when the application employs a cryptographic hash function that lacks sufficient collision resistance and security properties to adequately protect sensitive data integrity. This particular implementation fails to utilize industry-standard secure hashing algorithms such as SHA-256 or SHA-3, instead relying on a weaker hashing mechanism that can be exploited to compromise the system's security posture.
The attack vector for this vulnerability is restricted to local execution, meaning that an attacker must already have access to the system or application environment to exploit the weakness. This limitation reduces the attack surface compared to remote vulnerabilities but does not eliminate the security risk entirely. The high complexity rating and difficult exploitability classification indicate that the attack requires specialized knowledge and resources to execute successfully, suggesting that this vulnerability is likely to be targeted by sophisticated threat actors rather than casual attackers. The local execution requirement means that attackers would need to either have legitimate access to the system or find another way to gain local privileges before they can manipulate the hash computation function.
The operational impact of this vulnerability extends beyond simple data integrity concerns, as weak hashing can enable various malicious activities including data tampering, bypassing security controls, and potentially facilitating more severe attacks through credential manipulation or access control circumvention. According to the ATT&CK framework, this weakness could be leveraged as part of a broader attack chain involving privilege escalation or persistence mechanisms, particularly when combined with other local vulnerabilities. The affected system's reliance on this weak hash function for observation content validation creates a potential entry point for attackers seeking to manipulate stored data or compromise the integrity of observation records within the SQLite database. The vulnerability affects the core data handling functionality of the application, potentially allowing attackers to modify observation data without detection.
The recommended remediation approach involves upgrading to version 12.0.0, which includes the patch identified by the commit hash f32fda8b35e9fe9329f87da65c31149362a03f97. This upgrade addresses the root cause by implementing a secure cryptographic hash function that meets modern security standards and provides adequate resistance against collision attacks. The patch demonstrates the importance of maintaining up-to-date software components and highlights the necessity of regular security assessments to identify and remediate weak cryptographic implementations. Organizations should prioritize this upgrade as part of their vulnerability management strategy, particularly given the potential for data integrity compromise and the possibility of escalation to more serious security incidents. The fix represents a straightforward remediation that aligns with industry best practices for cryptographic implementation and demonstrates the critical importance of proper hash function selection in security-sensitive applications.