How serious is CVE-2026-29787?

This vulnerability has a CVSS score of 5.3 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-29787?

CVE-2026-29787 affects doobidoo mcp-memory-service. Check the full CVE details for specific version information.

How do I fix CVE-2026-29787?

To remediate CVE-2026-29787, check for security patches from doobidoo. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-29787

Medium

|5.3

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker can access sensitive system information, such as the operating system version and database paths, through an unsecured endpoint if the service is configured to allow anonymous access. This is particularly risky if the service is set to listen on all network interfaces, making it visible to anyone on the network.

Technical Description

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALLOW_ANONYMOUS_ACCESS=true is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default 0.0.0.0 binding, this exposes sensitive reconnaissance data to the entire network. This issue has been patched in version 10.21.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactLow

Integrity ImpactNone

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$724($500-$1K)

Vendor Response

Grade APatched in 4 days

Quick Information

Published

Mar 7, 2026

about 1 month ago

Last Modified

Mar 11, 2026

27 days ago

Vendor

doobidoo

Product

mcp-memory-service