mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
Description
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call store_memory and delete_memory through MCP even though the corresponding REST endpoints require write scope. Version 10.65.3 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <10.65.3
Patches
Vulnerability mechanics
Root cause
"The MCP JSON-RPC endpoint at /mcp does not enforce OAuth write-scope checks on tools/call requests, allowing read-scope-only clients to invoke mutating operations like store_memory and delete_memory."
Attack vector
An attacker obtains a valid OAuth access token with only the `read` scope (e.g. via the standard OAuth authorization flow for an MCP client). The `/mcp` endpoint accepts any token that has the `read` scope and dispatches `tools/call` JSON-RPC requests to the underlying handler functions. Because the MCP transport layer does not independently verify that the caller holds a `write` scope, a read-only client can invoke `store_memory` or `delete_memory` — operations that the REST API at `/api/memories` would correctly block. The attacker sends a single HTTP POST to `/mcp` with a JSON-RPC body containing the method name and parameters for a mutating tool [ref_id=1].
Affected code
The MCP JSON-RPC endpoint at `/mcp` (handled by `mcp_memory_service.server`) and its `tools/call` dispatch logic. The advisory does not name a specific function or file, but the affected code is the OAuth scope validation path in the MCP transport layer [ref_id=1].
What the fix does
The advisory states that version 10.65.3 patches the issue by adding OAuth scope enforcement at the MCP transport layer. The fix ensures that before dispatching a `tools/call` request to a handler, the server checks whether the caller's OAuth token includes the `write` scope for any tool that performs mutation (e.g. `store_memory`, `delete_memory`). This aligns the MCP endpoint's authorization behavior with the existing REST API endpoint at `/api/memories`, which already requires `write` scope. No further details of the code change are visible in the bundle [ref_id=1].
Preconditions
- authAttacker must have a valid OAuth access token with at least the `read` scope (obtainable through the standard OAuth flow for any MCP client)
- configThe server must have MCP_OAUTH_ENABLED=true (the default in the advertised setup) to expose the OAuth-protected /mcp endpoint
- networkThe /mcp endpoint must be reachable over HTTP/HTTPS (the server binds to 0.0.0.0 or a publicly accessible host)
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-2r68-g678-7qr3mitrex_refsource_MISC
- pypi.org/project/mcp-memory-service/10.65.3mitrex_refsource_MISC
- web.archive.org/web/20260508112116/https://github.com/doobidoo/mcp-memory-service/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.