High severityNVD Advisory· Published May 27, 2026

CVE-2026-44830

Description

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API_TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow_origins=["*"], operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client. An attacker on the same network can read, write, or delete all memory entries — including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection. This vulnerability is fixed in 2.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nocturne Memory ≤2.4.0 skips HTTP auth when API_TOKEN is empty, exposing the knowledge-graph API to any LAN attacker for read/write/delete of all memory entries.

Vulnerability

In Nocturne Memory versions prior to 2.4.1, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests when the API_TOKEN environment variable is unset or empty [1]. This issue is compounded by the default host binding of 0.0.0.0 and CORS configuration allow_origins=["*"], meaning operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client [1]. The stdio mode (local MCP) is not affected.

Exploitation

An attacker needs only network access to the same LAN as the vulnerable Nocturne Memory server. No authentication is required. The attacker can send arbitrary HTTP requests to the exposed endpoints, including the Knowledge-Graph API, to read, write, or delete any memory entry [1]. This includes system://boot and core://* URIs that auto-load into downstream agent sessions.

Impact

Successful exploitation allows a LAN attacker to fully compromise the memory store: reading sensitive memory entries, writing malicious data, or deleting critical records [1]. By manipulating system://boot and core://* URIs, the attacker can inject persistent prompts into downstream agent sessions, leading to arbitrary agent behavior or information disclosure.

Mitigation

Upgrade to Nocturne Memory version 2.4.1, which refuses to start the HTTP/SSE transport without an API_TOKEN (minimum 32 characters), defaults host binding to 127.0.0.1, restricts CORS to localhost by default, and fails fast in docker-compose.yml on a missing API_TOKEN [1]. As a workaround, operators can set a strong API_TOKEN in the environment and change the host binding to 127.0.0.1 manually [1].

References

Empty API_TOKEN disables authentication on network-reachable HTTP/SSE transport

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dataojitori/Nocturne Memoryinferred2 versions
<2.4.1+ 1 more
- (no CPE)range: <2.4.1
- (no CPE)range: < 2.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/Dataojitori/nocturne_memory/security/advisories/GHSA-crr4-xrj9-ww8gnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000