Cross-Origin Resource Sharing Misconfiguration in mcp-memory-service by Doobidoo
CVE-2026-33010

8.1HIGH

Key Information:

Vendor: Doobidoo
Status: Mcp-memory-service
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33010?

The mcp-memory-service, an open-source memory backend for multi-agent systems, is affected by a serious CORS misconfiguration prior to version 10.25.1. When the HTTP server is enabled, FastAPI's CORSMiddleware is configured to allow all origins, methods, headers, and credentials. This configuration enables any malicious website to access the API without authentication, allowing it to read, modify, and delete all stored memories. The issue arises when the MCP_ALLOW_ANONYMOUS_ACCESS setting is true, making it unnecessarily easy for unauthorized entities to exploit the API. Upgrading to version 10.25.1 remedies this vulnerability.

Affected Version(s)

mcp-memory-service < 10.25.1

References

https://github.com/doobidoo/mcp-memory-service/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33010 Data

JSON