Home / Vulnerability Intelligence / CVE-2026-33010

CVE-2026-33010 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 20, 2026

mcp-memory-service - CORS Misconfiguration

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

mcp-memory-service < 10.25.1 contains a CORS misconfiguration caused by permissive CORSMiddleware settings combined with anonymous access, letting remote attackers read, modify, and delete stored memories cross-origin without credentials.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can read, modify, and delete all stored memories via cross-origin requests without authentication.

Mitigation

Update to version 10.25.1 or later.

References

https://github.com/doobidoo/mcp-memory-service/security/advisories/GHSA-g9rg-8vq5-mpwm

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 20, 2026

🟠 CVE-2026-33010 - High (8.1) mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=['*'], allow_cre... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33010/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 20, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-33010
Severity: High
CVSS Score: 8.1
Type: cors_misconfiguration
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-942

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days