mcp-memory-service — the open-source memory backend used by multi-agent systems to persist and share context between agent runs — shipped a critical misconfiguration in its HTTP server mode. Prior to version 10.25.1, when HTTP access was enabled, the server configured FastAPI's CORS middleware with allow_origins=['*'] and allow_credentials=True simultaneously — a combination the CORS specification explicitly prohibits for security reasons. Combined with MCP_ALLOW_ANONYMOUS_ACCESS=true (the default quickstart configuration), no authentication was required at all.
Any malicious website visited by a developer running mcp-memory-service locally could silently read all stored agent memories, inject false memories, or delete the entire memory store via cross-origin fetch requests — with no user prompt, browser warning, or authentication challenge.
The blast radius is structural: mcp-memory-service is a shared memory substrate across agent runs and often across multiple agents in the same system. An attacker who can read the memory store can reconstruct agent plans, exfiltrate tool outputs, and observe credentials or API keys that agents cached for reuse. An attacker who can write to it can inject false context that shapes future agent behavior — a persistent, low-visibility form of prompt injection that survives agent restarts.
Immediate recommendation: Upgrade to mcp-memory-service ≥ 10.25.1 immediately. If running older versions, set MCP_HTTP_ENABLED=false or enforce OAuth before enabling HTTP access.