github doobidoo/mcp-memory-service v9.0.1
v9.0.1 - CRITICAL HOTFIX: Mass Deletion Bug Fix
on GitHub

latest releases: v10.48.0, v10.47.2, v10.47.1...
3 months ago

🚨 CRITICAL HOTFIX - All v9.0.0 Users Must Upgrade Immediately

What Happened

A critical bug was discovered in v9.0.0 that allows accidental mass deletion of memories through the /api/manage/delete-untagged endpoint.

Incident Details:

  • Date/Time: 2026-01-17 at 10:59:20
  • Impact: 6,733 memories (87% of database) were accidentally soft-deleted
  • Root Cause: confirm_count parameter was optional in the API endpoint
  • User Impact: Calling the endpoint without confirm_count deleted ALL untagged memories without confirmation

What's Fixed

confirm_count parameter is now REQUIRED (was optional in v9.0.0)
Enhanced safety check - Always validates confirm_count matches actual count
Improved error messages - Guides users to use GET /api/manage/count-untagged first
Comprehensive documentation - Clear security warnings added

File Changed: src/mcp_memory_service/web/api/manage.py:254

Recovery Instructions

If you were affected by this bug in v9.0.0, your memories can be restored: 

-- Restore all soft-deleted memories
UPDATE memories SET deleted_at = NULL WHERE deleted_at IS NOT NULL;

For detailed recovery instructions, see CHANGELOG.md

How to Upgrade

Method 1: Automatic (Recommended) 

# macOS/Linux
./scripts/update_and_restart.sh

# Windows PowerShell
.\scripts\service\windows\update_and_restart.ps1

Method 2: Manual 

pip install --upgrade mcp-memory-service
# Or for lite version:
pip install --upgrade mcp-memory-service-lite

Method 3: From Source 

git pull origin main
uv lock
pip install -e .

Why This Matters

This bug affects ALL v9.0.0 installations. The API endpoint can be called through:

  • Web dashboard (http://127.0.0.1:8000/)
  • Direct API calls
  • Automation scripts
  • Third-party integrations

Without the fix, any of these could accidentally delete all untagged memories.

Breaking Change Notice

API Change: The /api/manage/delete-untagged endpoint now requires the confirm_count parameter. This is a breaking change from v9.0.0, but necessary to prevent data loss.

Migration Required: If you have automation scripts calling this endpoint, update them to:

  1. First call GET /api/manage/count-untagged to get the count
  2. Then call POST /api/manage/delete-untagged with the confirm_count parameter

Verification

After upgrading, verify your version: 

python -c "import mcp_memory_service; print(mcp_memory_service.__version__)"
# Should output: 9.0.1

Full Changelog

See CHANGELOG.md for complete details.

Support

If you need assistance with recovery or have questions:

This is a critical security/data-loss fix. Please upgrade immediately.

Check out latest releases or
releases around doobidoo/mcp-memory-service v9.0.1

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications