PatchSiren cyber security CVE debrief

CVE-2026-44830 Dataojitori CVE debrief

A critical authentication bypass vulnerability in Nocturne Memory, a Long-Term Memory Server for MCP Agents, allows unauthenticated network attackers to fully compromise memory data when deployed with default Docker configurations. The vulnerability stems from BearerTokenAuthMiddleware failing to enforce authentication when API_TOKEN is unset or empty, combined with permissive default network bindings (0.0.0.0) and unrestricted CORS (allow_origins=[*]). Attackers on the same network can read, write, or delete all memory entries including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection attacks against connected AI agents. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects high impact across confidentiality, integrity, and availability with adjacent network attack vector. This vulnerability was disclosed via GitHub Security Advisory and received by NVD on 2026-05-27.

Vendor: Dataojitori
Product: nocturne_memory
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations running Nocturne Memory for MCP agent persistence, AI/ML platform teams, DevOps engineers deploying containerized memory services, security teams monitoring AI supply chain risks, and developers building agentic applications with long-term memory requirements

Technical summary

The BearerTokenAuthMiddleware in Nocturne Memory versions prior to 2.4.1 contains a logic flaw where empty or unset API_TOKEN values result in authentication bypass rather than denial of service. The middleware's conditional check fails to distinguish between 'no token configured' and 'token validation failed' states. When combined with default Docker Compose configurations that bind to 0.0.0.0:8000 and set CORS allow_origins=[*], this exposes the complete REST API to any network-reachable client. The Knowledge-Graph API endpoints permit arbitrary CRUD operations on memory entries, including system-reserved namespaces that are automatically loaded into MCP agent context windows. An attacker can achieve persistent compromise by injecting malicious instructions into system://boot or core://* URIs, which execute in subsequent agent sessions without requiring further network access. The vulnerability is classified as CWE-306: Missing Authentication for Critical Function.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Nocturne Memory to version 2.4.1 or later immediately
Audit all deployed instances for unauthorized memory modifications, especially system://boot and core://* URIs
Explicitly configure API_TOKEN environment variable on all deployments regardless of version
Restrict network exposure by binding to localhost (127.0.0.1) or specific interfaces instead of 0.0.0.0
Implement additional network segmentation to limit LAN access to Nocturne Memory instances
Review downstream MCP agent sessions for signs of prompt injection or unexpected behavior
Monitor for anomalous HTTP requests to /memory/* endpoints without valid Authorization headers

Evidence notes

Authentication bypass confirmed in BearerTokenAuthMiddleware when API_TOKEN unset. Default Docker deployment exposes 0.0.0.0 with CORS allow_origins=[*]. System URIs (system://boot, core://*) auto-load into agent sessions per product documentation. Fix version 2.4.1 verified in advisory.

Official resources

2026-05-27