CVE-2026-6634
Received Received - Intake
Improper Authorization in usememos UpdateInstanceSetting Enables Remote Exploit

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in usememos memos up to 0.22.1. This affects the function memos_access_token of the file src/App.tsx of the component UpdateInstanceSetting. This manipulation of the argument additionalStyle/additionalScript causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6634
EUVD
EUVD-2026-23838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
usememos memos to 0.22.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-6634 vulnerability in usememos/memos is a critical security issue involving a combination of Stored Cross-Site Scripting (XSS) and Broken Access Control.

Specifically, the backend endpoint UpdateInstanceSetting does not verify if the requesting user has administrative privileges, allowing any registered user with a "Member" role to send administrative update requests successfully.

On the frontend, the application dynamically injects global instance settings into the DOM using innerHTML without sanitization, which allows malicious scripts stored in global settings to execute in the context of all users.

An attacker with low privileges can inject malicious scripts into the "Additional script" field, which then execute for any user visiting the instance, including guests.

Impact Analysis

This vulnerability allows unauthorized modification of global instance settings by non-admin users.

It enables execution of arbitrary JavaScript in all users’ browsers, which can lead to session theft such as exfiltration of access tokens.

As a result, it can lead to complete compromise of the instance’s user base through persistent cross-site scripting attacks.

Detection Guidance

This vulnerability can be detected by checking if non-admin users are able to send update requests to the backend endpoint UpdateInstanceSetting and successfully modify global instance settings.

You can also inspect if the frontend injects unsanitized content into the DOM using innerHTML for additionalStyle or additionalScript fields.

Suggested commands or steps include:

  • Use network monitoring tools (e.g., curl or Postman) to send an UpdateInstanceSetting RPC call as a low-privilege user and check if the server accepts it (HTTP 200 OK).
  • Inspect the frontend code or runtime DOM to see if additionalStyle or additionalScript fields are injected using innerHTML without sanitization.
  • Check browser developer tools console for any unexpected script execution or alerts triggered by injected scripts.
Mitigation Strategies

Immediate mitigation steps include enforcing strict server-side authorization to restrict the UpdateInstanceSetting and related RPC calls to only HOST or ADMIN roles.

Avoid using innerHTML to inject dynamic content such as additionalStyle or additionalScript. Instead, use safer alternatives like textContent or sanitize inputs with libraries such as DOMPurify.

Compliance Impact

The vulnerability allows unauthorized users to execute arbitrary JavaScript in all users' browsers, potentially leading to session theft and complete compromise of the user base.

Such unauthorized access and data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart