Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dataojitori
Dataojitori nocturne Memory |
|
| Vendors & Products |
Dataojitori
Dataojitori nocturne Memory |
Wed, 27 May 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 15:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API_TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow_origins=["*"], operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client. An attacker on the same network can read, write, or delete all memory entries — including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection. This vulnerability is fixed in 2.4.1. | |
| Title | Empty API_TOKEN disables authentication on network-reachable HTTP/SSE transport | |
| Weaknesses | CWE-306 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-27T15:33:42.680Z
Reserved: 2026-05-07T21:21:48.351Z
Link: CVE-2026-44830
Updated: 2026-05-27T15:33:39.910Z
Status : Deferred
Published: 2026-05-27T15:16:28.297
Modified: 2026-06-17T10:51:24.200
Link: CVE-2026-44830
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:50:44Z