CVE-2026-6634
Improper Authorization in usememos UpdateInstanceSetting Enables Remote Exploit
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| usememos | memos | to 0.22.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-6634 vulnerability in usememos/memos is a critical security issue involving a combination of Stored Cross-Site Scripting (XSS) and Broken Access Control.
Specifically, the backend endpoint UpdateInstanceSetting does not verify if the requesting user has administrative privileges, allowing any registered user with a "Member" role to send administrative update requests successfully.
On the frontend, the application dynamically injects global instance settings into the DOM using innerHTML without sanitization, which allows malicious scripts stored in global settings to execute in the context of all users.
An attacker with low privileges can inject malicious scripts into the "Additional script" field, which then execute for any user visiting the instance, including guests.
How can this vulnerability impact me? :
This vulnerability allows unauthorized modification of global instance settings by non-admin users.
It enables execution of arbitrary JavaScript in all usersβ browsers, which can lead to session theft such as exfiltration of access tokens.
As a result, it can lead to complete compromise of the instanceβs user base through persistent cross-site scripting attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if non-admin users are able to send update requests to the backend endpoint UpdateInstanceSetting and successfully modify global instance settings.
You can also inspect if the frontend injects unsanitized content into the DOM using innerHTML for additionalStyle or additionalScript fields.
Suggested commands or steps include:
- Use network monitoring tools (e.g., curl or Postman) to send an UpdateInstanceSetting RPC call as a low-privilege user and check if the server accepts it (HTTP 200 OK).
- Inspect the frontend code or runtime DOM to see if additionalStyle or additionalScript fields are injected using innerHTML without sanitization.
- Check browser developer tools console for any unexpected script execution or alerts triggered by injected scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to execute arbitrary JavaScript in all users' browsers, potentially leading to session theft and complete compromise of the user base.
Such unauthorized access and data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing strict server-side authorization to restrict the UpdateInstanceSetting and related RPC calls to only HOST or ADMIN roles.
Avoid using innerHTML to inject dynamic content such as additionalStyle or additionalScript. Instead, use safer alternatives like textContent or sanitize inputs with libraries such as DOMPurify.