CVE-2026-33010 is a high-severity security vulnerability in mcp-memory-service (pip), affecting versions < 10.25.1. It is fixed in 10.25.1.
Summary When the HTTP server is enabled (MCPHTTPENABLED=true), the application configures FastAPI's CORSMiddleware with alloworigins=[''], allowcredentials=True, allowmethods=[""], and allowheaders=[""]. The wildcard Access-Control-Allow-Origin: header permits any website to read API responses cross-origin. When combined with anonymous access (MCPALLOWANONYMOUSACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories. Details Vulnerable Code config.py:546 - Wildcard CORS origin default This produces [''] by default, allowing any origin. app.py:274-280 - CORSMiddleware configuration How the Attack Works The wildcard CORS default means every API response includes Access-Control-Allow-Origin: . This tells browsers to allow any website to read the response. When combined with anonymous access (no authentication required), the attack is straightforward: The browser sends the request, the server responds with ACAO: , and the browser allows the JavaScript to read the response body. No cookies, no auth headers, no credentials of any kind. Clarification on allowcredentials=True: The advisory originally stated that Starlette reflects the Origin header when allowcredentials=True with wildcard origins. Testing with Starlette 0.52.1 shows that actual responses return ACAO: (not the reflected origin); only preflight OPTIONS responses reflect the origin. Per the Fetch specification, browsers block ACAO: when credentials: 'include' is used. However, this is irrelevant to the attack because anonymous access means no credentials are needed - a plain fetch() without credentials: 'include' works, and ACAO: allows it. Two Attack Vectors This misconfiguration enables two distinct attack paths: Cross-origin browser attack (CORS - this advisory) Attacker lures victim to a malicious webpage JavaScript on the page reads/writes the memory service API Works from anywhere on the internet if the victim visits the page The ACAO: header is what allows the browser to expose the response to the attacker's JavaScript Direct network access (compounding factor) Attacker on the same network directly calls the API (curl http://<target>:8000/api/memories) No CORS involved - CORS is a browser-only restriction Enabled by 0.0.0.0 binding + anonymous access, independent of CORS configuration The CORS misconfiguration specifically enables attack vector #1, extending the reach from local network to anyone who can get the victim to click a link. Compounding Factors HTTPHOST = '0.0.0.0' - Binds to all interfaces, exposing the service to the entire network (enables attack vector #2) HTTPSENABLED = 'false' - No TLS by default, allowing passive interception MCPALLOWANONYMOUSACCESS - When enabled, no authentication is required at all. This is the key enabler: without it, the CORS wildcard alone would not allow data access (the attacker would need to forward valid credentials, which ACAO: blocks) allowcredentials=True - Bad practice: if a future Starlette version changes to reflect origins (as some CORS implementations do), this would escalate the vulnerability by allowing credential-forwarding attacks against OAuth/API-key users API key via query parameter - apikey query param is cached in browser history and server logs Attack Scenario Victim runs mcp-memory-service with HTTP enabled and anonymous access Victim visits https://evil.com which includes JavaScript JavaScript sends fetch('http://<victim-ip>:8000/api/memories') (no credentials needed) Server responds with Access-Control-Allow-Origin: Browser allows JavaScript to read the response - attacker receives all memories Attacker's script also calls DELETE/PUT endpoints to modify or destroy memories Victim sees a normal web page; no indication of the attack Root Cause The default value of MCPCORSORIGINS is , which allows any website to read API responses. This is a permissive default that should be restricted to the expected dashboard origin (typically localhost). The allow_credentials=True is an additional misconfiguration that doesn't currently enable the attack. PoC Impact Complete cross-origin memory access: Any website can read all stored memories when the victim has the HTTP server running with anonymous access Memory tampering: Write/delete endpoints are also accessible cross-origin, allowing memory destruction Remote attack surface: Unlike direct network access (which requires LAN proximity), the CORS vector works from anywhere on the internet - the victim just needs to visit a link Silent exfiltration: The attack is invisible to the victim; no browser warnings, no popups, no indicators Remediation Replace the wildcard default with an explicit localhost origin: Affected Deployments The vulnerability exists in the Python source code and is not mitigated by any deployment-specific configuration. Docker HTTP mode is the highest-risk deployment because it explicitly binds to 0.0.0.0, maps the port, and does not override the wildcard CORS default.
CVE-2026-33010 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (10.25.1). Upgrading removes the vulnerable code path.
pip
mcp-memory-service (< 10.25.1)mcp-memory-service → 10.25.1 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-33010 is reachable in your applications. Explore AI application security for your team.
See if CVE-2026-33010 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-33010 in your environment →Upgrade mcp-memory-service to 10.25.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-33010 is a high-severity security vulnerability in mcp-memory-service (pip), affecting versions < 10.25.1. It is fixed in 10.25.1.
CVE-2026-33010 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
mcp-memory-service (pip) versions < 10.25.1 is affected.
Yes. CVE-2026-33010 is fixed in 10.25.1. Upgrade to this version or later.
Whether CVE-2026-33010 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade mcp-memory-service to 10.25.1 or later.