github doobidoo/mcp-memory-service v10.4.4
v10.4.4 - CRITICAL Security Fix & API Key Authentication
on GitHub

latest releases: v10.28.3, v10.28.2, v10.28.1...
one month ago

🔒 CRITICAL Security Update

Immediate upgrade recommended for all deployments using API key authentication.

This release fixes a CRITICAL timing attack vulnerability (CWE-208) and resolves API key authentication when OAuth is disabled.

Security Fixes

🚨 CRITICAL: Timing Attack Vulnerability (CWE-208)

  • Issue: API key comparison used direct string comparison, allowing attackers to determine correct keys character-by-character via timing analysis
  • Fix: Replaced with secrets.compare_digest() for constant-time comparison
  • Impact: All API key authentication methods (X-API-Key header, query parameter, Bearer token)
  • Severity: CRITICAL
  • Credit: Identified by amp-pr-automator code review

Bug Fixes

API Key Authentication without OAuth (Issue #407)

  • Problem: API key authentication failed when MCP_OAUTH_ENABLED=false
    • Root cause: API routes had conditional OAuth dependencies
    • WebUI and API endpoints returned 401 even with valid API key
  • Solution:
    • Removed OAuth conditionals from ALL 44 API route endpoints
    • Authentication middleware now handles all methods unconditionally
    • Enables simple single-user deployments without OAuth overhead

New Features

Three Authentication Methods

1. X-API-Key Header (Recommended) 

curl -H "X-API-Key: your-secret-key" http://localhost:8000/api/memories
  • Most secure (not logged in server logs)
  • Works with all API endpoints
  • Preferred for production use

2. Query Parameter (Convenient) 

curl "http://localhost:8000/api/memories?api_key=your-secret-key"
  • Convenient for scripts and browsers
  • ⚠️ Warning: Logs API keys in server logs - use X-API-Key in production

3. Bearer Token (Backward Compatible) 

curl -H "Authorization: Bearer your-secret-key" http://localhost:8000/api/memories
  • Maintains backward compatibility
  • Works with existing deployments

Configuration

API-Key-Only Deployment (No OAuth)

export MCP_API_KEY="your-secret-key"
export MCP_OAUTH_ENABLED=false
export MCP_ALLOW_ANONYMOUS_ACCESS=false

python scripts/server/run_http_server.py

See docs/oauth-setup.md for complete setup guide.

Breaking Changes

None - fully backward compatible with existing deployments.

Upgrade Instructions

# PyPI
pip install --upgrade mcp-memory-service

# Docker
docker pull doobidoo/mcp-memory-service:v10.4.4

# From source
git pull origin main
git checkout v10.4.4
pip install -e .

What Changed

Files Modified: 19 files

  • Security: API key comparison timing attack fix
  • API Routes: 44 endpoints updated (9 modules)
  • Documentation: API key setup guide and examples
  • Tests: 228 lines of middleware test coverage

Commits: 9 commits squash-merged

Next Steps

  1. Upgrade immediately if using API key authentication
  2. Review .env.example for new API key configuration options
  3. Read docs/oauth-setup.md for deployment patterns
  4. Test authentication with curl examples above

Full Changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md#1044---2026-02-05

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.4.4

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications