CVE-2026-33010 in mcp-memory-service
Summary
by MITRE • 03/20/2026
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories. This issue has been patched in version 10.25.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33010 affects mcp-memory-service, an open-source memory backend designed for multi-agent systems that provides a critical component for storing and retrieving memory data across distributed agent networks. This service operates with a web interface enabled through the MCP_HTTP_ENABLED environment variable, creating a potential attack surface that exposes sensitive data handling mechanisms to unauthorized access. The flaw exists in the application's configuration of FastAPI's CORSMiddleware component, which governs cross-origin resource sharing policies for web applications. The default configuration sets allow_origins=['*'] which creates a dangerous permissive policy that allows any website to access the service's API endpoints, effectively removing the fundamental security boundary that should protect against cross-site request forgery attacks.
The technical implementation of this vulnerability stems from the insecure configuration of CORS policies combined with anonymous access capabilities that are enabled by default. When MCP_ALLOW_ANONYMOUS_ACCESS=true, the service operates without requiring authentication credentials, creating a scenario where any malicious website can silently access the memory service through cross-origin requests. The combination of wildcard origins with credential handling creates a particularly dangerous condition where the application accepts requests from any domain while still allowing credential-based access patterns. This configuration violates fundamental security principles and creates a path for attackers to perform unauthorized operations including reading, modifying, and deleting all stored memory data without detection. The vulnerability exists in the application's initialization phase where security settings are applied without proper consideration of the operational context and threat model.
The operational impact of this vulnerability is severe and far-reaching for any system administrators or developers who have deployed mcp-memory-service with HTTP server enabled and anonymous access permitted. An attacker could construct a malicious website that silently accesses the memory service through legitimate browser cross-origin requests, potentially leading to complete data compromise and system integrity violations. The lack of authentication requirements combined with the permissive CORS policy creates a situation where sensitive memory data could be exfiltrated, modified, or destroyed without any indication of compromise to the legitimate system users. This vulnerability particularly affects multi-agent systems where memory data represents the collective knowledge, experiences, and operational context of the agents, making the potential impact on system behavior and decision-making processes extremely significant.
The vulnerability aligns with CWE-942, which specifically addresses "Overly Permissive Cross-domain Whitelist" and falls under the broader category of insecure cross-origin resource sharing configurations. From an ATT&CK framework perspective, this vulnerability enables techniques such as T1566.001 for initial access through malicious websites and T1567.002 for exfiltration of data through cross-origin requests. The patch implemented in version 10.25.1 addresses this by removing the wildcard configuration and requiring explicit origin specifications, which aligns with the principle of least privilege and proper security boundary enforcement. Organizations should immediately update to version 10.25.1 or later to remediate this vulnerability, while also implementing proper origin validation and credential management practices. The incident highlights the critical importance of secure default configurations and the need for security-conscious development practices when implementing web services with cross-origin capabilities.