CVE-2026-33010 Overview
CVE-2026-33010 is a critical CORS (Cross-Origin Resource Sharing) misconfiguration vulnerability in mcp-memory-service, an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with overly permissive settings including allow_origins=['*'], allow_credentials=True, allow_methods=["*"], and allow_headers=["*"]. This dangerous combination permits any website to read API responses cross-origin.
Critical Impact
When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true), any malicious website can silently read, modify, and delete all stored memories without authentication, leading to complete compromise of stored data.
Affected Products
- mcp-memory-service versions prior to 10.25.1
- Deployments with MCP_HTTP_ENABLED=true configuration
- Instances configured with MCP_ALLOW_ANONYMOUS_ACCESS=true
Discovery Timeline
- 2026-03-20 - CVE-2026-33010 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33010
Vulnerability Analysis
This vulnerability stems from an insecure default configuration in the FastAPI CORS middleware implementation. The combination of wildcard origin (*) with credentials support creates a scenario where browsers will include cookies and authentication headers in cross-origin requests while simultaneously allowing any domain to read the responses. This configuration violates the fundamental security principles of the Same-Origin Policy.
The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The attack requires user interaction—specifically, a victim must visit a malicious website while authenticated to the vulnerable mcp-memory-service instance. Once triggered, the attacker gains full read, write, and delete access to all stored memories in the multi-agent system.
Root Cause
The root cause is the misconfiguration of FastAPI's CORSMiddleware with overly permissive settings. Setting allow_origins=['*'] combined with allow_credentials=True is explicitly warned against in web security best practices, as it effectively disables cross-origin protections. When anonymous access is also enabled for convenience (the simplest way to get the HTTP dashboard working without OAuth), the attack surface expands to allow complete unauthenticated access from any origin.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can craft a malicious webpage containing JavaScript that makes cross-origin requests to a vulnerable mcp-memory-service instance. When a victim visits this page, the malicious JavaScript executes in their browser context and can:
- Enumerate all stored memories via API calls
- Exfiltrate sensitive data from the memory backend
- Modify existing memories to inject malicious content
- Delete critical memories, disrupting multi-agent system operations
The vulnerability manifests in the CORS middleware configuration within the FastAPI application. When a cross-origin request is made, the server responds with Access-Control-Allow-Origin: * header, permitting any origin to read the response. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33010
Indicators of Compromise
- Unusual cross-origin requests to mcp-memory-service API endpoints from external domains
- Unexpected memory deletions or modifications in audit logs
- API access patterns showing bulk data retrieval from unfamiliar IP addresses or referrer domains
- JavaScript errors in browser console related to CORS on legitimate admin pages indicating potential tampering
Detection Strategies
- Monitor HTTP request logs for requests with Origin headers from untrusted domains
- Implement alerting on unusual API activity patterns such as bulk reads, deletions, or modifications
- Deploy web application firewalls (WAF) to detect and block suspicious cross-origin request patterns
- Review application configuration for insecure CORS settings during security audits
Monitoring Recommendations
- Enable detailed logging for all API endpoints with origin and referrer tracking
- Set up anomaly detection for memory access patterns in multi-agent system operations
- Monitor for configuration changes to MCP_HTTP_ENABLED and MCP_ALLOW_ANONYMOUS_ACCESS settings
- Implement real-time alerting on memory deletion events
How to Mitigate CVE-2026-33010
Immediate Actions Required
- Upgrade mcp-memory-service to version 10.25.1 or later immediately
- If immediate upgrade is not possible, disable HTTP server by setting MCP_HTTP_ENABLED=false
- Disable anonymous access by setting MCP_ALLOW_ANONYMOUS_ACCESS=false and configure proper OAuth authentication
- Review access logs for signs of exploitation and audit stored memories for unauthorized changes
Patch Information
The vulnerability has been patched in mcp-memory-service version 10.25.1. The patch addresses the insecure CORS configuration by implementing proper origin validation and removing the dangerous wildcard configuration. Organizations should upgrade to this version or later to remediate the vulnerability. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Disable HTTP server functionality entirely if not required by setting MCP_HTTP_ENABLED=false
- Place the mcp-memory-service behind a reverse proxy that enforces strict CORS policies
- Implement network-level access controls to restrict which domains can reach the service
- Enable OAuth authentication and disable anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=false)
# Configuration example - Secure mcp-memory-service settings
# Disable HTTP server if not required
export MCP_HTTP_ENABLED=false
# If HTTP is required, disable anonymous access
export MCP_ALLOW_ANONYMOUS_ACCESS=false
# Configure OAuth for proper authentication
# Refer to documentation for OAuth provider configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
