High severityNVD Advisory· Published Sep 1, 2023· Updated Sep 30, 2024

Improper Input Validation in usememos/memos

CVE-2023-4698

Description

Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input validation in usememos/memos before 0.13.2 allows unauthorized access via invalid JWT access tokens.

Vulnerability

CVE-2023-4698 describes an improper input validation vulnerability in the usememos/memos note-taking application prior to version 0.13.2. The root cause is missing validation of the Valid field in JWT access tokens during authentication, as seen in the fix commit [3].

Exploitation

An attacker can craft an invalid JWT access token (e.g., one with Valid set to false) that would normally be rejected but is not properly validated by the middleware. This token can then be used to authenticate requests without genuine credentials, bypassing the intended authentication mechanism [1].

Impact

Successful exploitation allows an attacker to impersonate any user (or gain unauthorized access to the application) by providing an invalid token. This can lead to unauthorized reading, modification, or deletion of notes and other sensitive data stored in the memos instance [2].

Mitigation

The issue was fixed in commit c9aa2eeb9852047e4f41915eb30726bd25f07ecd, which adds a check for accessToken.Valid in the JWT middleware [3]. The fix is included in memos version 0.13.2 and later. Users are strongly advised to upgrade to the latest version to protect against this vulnerability [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/usememos/memosGo	>= 0	—

Affected products

ghsa-coords
pkg:golang/github.com/usememos/memos
Range: >= 0
usememos/usememos/memosv5
Range: unspecified

Patches

c9aa2eeb9852

fix: validate access token (#1867)

https://github.com/usememos/memosCorrectRoadHJun 30, 2023via ghsa

commit

1 file changed · +5 −0

server/jwt.go+5 −0 modified

@@ -111,6 +111,11 @@ func JWTMiddleware(server *Server, next echo.HandlerFunc, secret string) echo.Ha
 			}
 			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
 		})
+
+		if !accessToken.Valid {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token.")
+		}
+
 		if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
 			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Invalid access token, audience mismatch, got %q, expected %q.", claims.Audience, auth.AccessTokenAudienceName))
 		}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-96gq-6ch5-mm54ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-4698ghsaADVISORY
github.com/usememos/memos/commit/c9aa2eeb9852047e4f41915eb30726bd25f07ecdghsaWEB
huntr.dev/bounties/e1107d79-1d63-4238-90b7-5cc150512654ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000