Vibe Security Radar
Back to Vulnerabilities

CVE-2026-29787

Mar 7, 2026CWE-200
Python
Verified by claude-opus-4-6, gemini-3-flash-preview, gemini-3.1-flash-lite-preview, gemini-3.1-pro-preview, gpt-5.4
Severity
MEDIUM5.3
Verdict
CONFIRMED
low confidence
AI Tool
Claude CodeClaude Code
Confidence
86%

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALLOW_ANONYMOUS_ACCESS=true is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default 0.0.0.0 binding, this ex

How AI Introduced This

The fix for CVE-2026-29787 replaces hardcoded network binding in `mcp_server.py` (`host="0.0.0.0", port=8000`) with configuration-driven `HTTP_HOST`/`HTTP_PORT`, indicating the security issue was exposure of HTTP endpoints, including the health endpoint, on all interfaces by default. The suspected commit is exactly where that hardcoded remote-access binding was introduced, and its commit message explicitly says it set `FastMCP host=0.0.0.0 for remote access`. That change made the service—and thus the health endpoint that disclosed system information—remotely reachable by default, which is the core condition enabling the information disclosure vulnerability.

Bug-Introducing Commits(1)
0f1feaaAI

fix: Configure FastMCP server for remote access and fix mcp.run() syntax

doobidooAug 3, 2025src/mcp_memory_service/mcp_server.pyBlame: 90%

Tribunal Analysis

3 agents
CONFIRMEDlow
CONFIRMEDGPT-5.4
97%

The fix for CVE-2026-29787 replaces hardcoded network binding in `mcp_server.py` (`host="0.0.0.0", port=8000`) with configuration-driven `HTTP_HOST`/`HTTP_PORT`, indicating the security issue was exposure of HTTP endpoints, including the health endpoint, on all interfaces by default. The suspected commit is exactly where that hardcoded remote-access binding was introduced, and its commit message explicitly says it set `FastMCP host=0.0.0.0 for remote access`. That change made the service—and thus the health endpoint that disclosed system information—remotely reachable by default, which is the core condition enabling the information disclosure vulnerability.

  • Fix commit changes `FastMCP(... host="0.0.0.0", port=8000 ...)` to `host=HTTP_HOST, port=HTTP_PORT` in `src/mcp_memory_service/mcp_server.py`.
  • BIC diff introduces `host="0.0.0.0"` and `port=8000` in the `FastMCP` constructor.
  • BIC commit message: `Set FastMCP host=0.0.0.0 for remote access from Claude Code clients` and `FastMCP server now listening on 0.0.0.0:8000`.
  • Search at the BIC found no health-endpoint code added there, implying the commit did not create the health logic itself but did expose existing HTTP endpoints, including `/health`, to remote clients by default.
UNLIKELYClaude Opus 4.6
30%

Fallback verdict: Agent exhausted max turns without submitting a verdict.

UNLIKELYGemini 3.1 Pro
30%

Fallback verdict: Agent exhausted max turns without submitting a verdict.

Causality Analysisby Gemini 3 Flash
VulnerabilityInformation Disclosure
Root CauseThe health endpoint exposed sensitive system information such as version, uptime, and database paths to unauthenticated or read-only users.
Pattern
Returning detailed system information (e.g., version, uptime) in a public or read-only health check endpoint.
AI Signals(2)
Commit0f1feaa
Claude CodeCo-author trailerCo-Authored-By: Claude <noreply@anthropic.com>95%
Claude CodeCommit message keywordGenerated with Claude Code95%
Fix Commits(1)
18f4323doobidoo/mcp-memory-servicegithub_advisory