CVE-2026-54561

CVE-2026-54561 is a medium-severity path traversal vulnerability in mcp-memory-keeper (npm), affecting versions < 0.13.0. It is fixed in 0.13.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

mcp-memory-keeper: Arbitrary local file read in context_import via unvalidated filePath

Workarounds

Upgrade to >= 0.13.0. There is no configuration-only workaround for affected versions.

Resources

  • Report: GitHub issue #35
  • Fix: PR #36

Credit

Reported by Zhihao Zhang (@mcfly-zzh).

Impact

context_import passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client, or an LLM agent that is prompt-injected into calling the tool, could point filePath at any file readable by the server process, outside any session or export directory:

  • Full disclosure (JSON files): a valid-JSON target (e.g. another user's exported session, or a *.json credential / service-account file) is parsed and imported into the caller's session, then retrievable verbatim via context_get / context_export.
  • Partial disclosure (any file): for a non-JSON target (e.g. /etc/passwd, an SSH key, a .env), JSON.parse throws and V8 includes a snippet of the file's leading bytes in the SyntaxError message, which was returned verbatim to the caller.

Both ../ traversal and absolute paths worked, there was no path confinement of any kind.

In a typical MCP deployment the server runs on the developer's machine, so the reachable set includes other users' exported memory sessions, JSON credential/config files, and (in leading-bytes form) .env files, SSH keys, and /etc/passwd. The trigger is a tool argument, so the realistic threat model is an LLM agent prompt-injected into calling context_import, or any MCP client connected to the server.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-54561 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.13.0); upgrading removes the vulnerable code path.

Affected versions

mcp-memory-keeper (< 0.13.0)

Security releases

mcp-memory-keeper → 0.13.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Fixed in 0.13.0 (PR #36):

  • Imports are confined to a server-owned exports directory (<DATA_DIR>/exports, overridable via MEMORY_KEEPER_EXPORT_DIR), resolved with realpathSync. ../ traversal, absolute paths outside the directory, and symlink escapes are all rejected.
  • File read and JSON.parse are separate operations; read/parse failures return a generic message and never echo file bytes (the SyntaxError-message leak is gone). The database-write path is likewise generic.
  • An E2E security regression suite covers the reported arbitrary-read and traversal vectors, plus symlink escape, the directory-prefix boundary, and a no-existence-oracle check.

Frequently Asked Questions

  1. What is CVE-2026-54561? CVE-2026-54561 is a medium-severity path traversal vulnerability in mcp-memory-keeper (npm), affecting versions < 0.13.0. It is fixed in 0.13.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-54561? CVE-2026-54561 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of mcp-memory-keeper are affected by CVE-2026-54561? mcp-memory-keeper (npm) versions < 0.13.0 is affected.
  4. Is there a fix for CVE-2026-54561? Yes. CVE-2026-54561 is fixed in 0.13.0. Upgrade to this version or later.
  5. Is CVE-2026-54561 exploitable, and should I be worried? Whether CVE-2026-54561 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-54561 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-54561? Upgrade mcp-memory-keeper to 0.13.0 or later.

Stop the waste.
Protect your environment with Kodem.