Critical severityNVD Advisory· Published Sep 1, 2023· Updated Sep 30, 2024

Improper Access Control in usememos/memos

CVE-2023-4696

Description

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper access control in usememos/memos prior to 0.13.2 allows attackers to bypass authentication via invalid access tokens.

Vulnerability

Overview

CVE-2023-4696 is an improper access control vulnerability in the usememos/memos application, affecting versions prior to 0.13.2. The root cause lies in the JWT middleware, where the validity of access tokens was not properly checked after parsing. Specifically, the code lacked a verification step for the accessToken.Valid field, allowing tokens that were expired, malformed, or otherwise invalid to be accepted as legitimate [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting or reusing an invalid access token (e.g., an expired token or one with manipulated claims) and presenting it to the server. Because the middleware did not validate the token's validity, the server would process the request as if the token were authentic. No special network access or prior authentication is required; the attacker only needs to send a request with the crafted token to any protected endpoint [2][3].

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to the application. Depending on the claims embedded in the token, the attacker could impersonate any user, potentially leading to data exposure, modification, or privilege escalation. This could compromise the confidentiality and integrity of the system [1][3].

Mitigation

The issue was fixed in commit c9aa2eeb9852047e4f41915eb30726bd25f07ecd, which adds a check for accessToken.Valid and returns an HTTP 401 Unauthorized error if the token is invalid [2]. Users are strongly advised to upgrade to version 0.13.2 or later, which includes this patch. No workarounds have been documented [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/usememos/memosGo	< 0.13.2	0.13.2

Affected products

ghsa-coords
pkg:golang/github.com/usememos/memos
Range: < 0.13.2
usememos/usememos/memosv5
Range: unspecified

Patches

c9aa2eeb9852

fix: validate access token (#1867)

https://github.com/usememos/memosCorrectRoadHJun 30, 2023via ghsa

commit

1 file changed · +5 −0

server/jwt.go+5 −0 modified

@@ -111,6 +111,11 @@ func JWTMiddleware(server *Server, next echo.HandlerFunc, secret string) echo.Ha
 			}
 			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
 		})
+
+		if !accessToken.Valid {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token.")
+		}
+
 		if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
 			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Invalid access token, audience mismatch, got %q, expected %q.", claims.Audience, auth.AccessTokenAudienceName))
 		}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j2gj-g3p9-7mrrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-4696ghsaADVISORY
github.com/usememos/memos/commit/c9aa2eeb9852047e4f41915eb30726bd25f07ecdghsaWEB
huntr.dev/bounties/4747a485-77c3-4bb5-aab0-21253ef303caghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000