CVE-2026-29787

MEDIUM 5.3

mcp-memory-service: System Information Disclosure via Health Endpoint

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALLOW_ANONYMOUS_ACCESS=true is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default 0.0.0.0 binding, this exposes sensitive reconnaissance data to the entire network. This issue has been patched in version 10.21.0.

CWE	CWE-200
Vendor	doobidoo
Product	mcp-memory-service
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for doobidoo mcp-memory-service

Be the first to know when new medium vulnerabilities affecting doobidoo mcp-memory-service are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

doobidoo / mcp-memory-service

< 10.21.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-73hc-m4hx-79pj github.com: https://github.com/doobidoo/mcp-memory-service/commit/18f4323ca92763196aa2922f691dfbeb6bd84e48