github doobidoo/mcp-memory-service v10.67.1
v10.67.1 — Security Patch
on GitHub

8 hours ago

Security Patch — GHSA-84hp-mqvj-3p8h (CVSSv3.1 9.8 CRITICAL)

What's Fixed

fix(security): enforce authentication on all /api/documents/* routes

All 7 document endpoints were served without any authentication check, allowing unauthenticated access even when MCP_API_KEY or OAuth 2.1 was configured:

  • POST /api/documents/upload
  • POST /api/documents/batch-upload
  • GET /api/documents/status/{job_id}
  • GET /api/documents/history
  • DELETE /api/documents/remove
  • DELETE /api/documents/remove-by-tags
  • POST /api/documents/search-content

Advisory: GHSA-84hp-mqvj-3p8h
CVSSv3.1: 9.8 CRITICAL
Fix commit: 907bac7

Upgrade

All users running the HTTP server with MCP_API_KEY or OAuth 2.1 configured should upgrade immediately. 

pip install --upgrade mcp-memory-service==10.67.1

Changelog

See CHANGELOG.md for full details.

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.67.1

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications