CVE-2026-11330
Deferred Deferred - Pending Action
Weak Hash in thedotmack claude-mem

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description
A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-11330
EUVD
EUVD-2026-34828
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
thedotmack claude-mem to 11.0.1 (inc)
thedotmack claude-mem 12.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the function computeObservationContentHash of the claude-mem project up to version 11.0.1. The issue is caused by improper concatenation of fields (memorySessionId, title, and narrative) without delimiters before hashing, which leads to weak hash usage and hash collisions.

Because of this, different combinations of these fields can produce identical hashes, causing legitimate observations to be incorrectly deduplicated. This can allow an attacker to manipulate or poison memory observations.

The attack can only be executed locally and is considered difficult due to its high complexity.

The issue was fixed by introducing a null-byte delimiter between concatenated fields before hashing, ensuring unique and unambiguous hashes.

Impact Analysis

This vulnerability can impact you by causing memory observations to be incorrectly deduplicated due to hash collisions, potentially leading to memory poisoning.

Such manipulation could result in corrupted or misleading data being stored or retrieved by the claude-mem system, which maintains persistent memory for AI agents.

Since the attack requires local access and is complex to execute, the risk is somewhat limited, but it could still affect the integrity and reliability of the memory system.

Upgrading to version 12.0.0 or later resolves this issue.

Detection Guidance

This vulnerability is related to the use of a weak hash in the computeObservationContentHash function of the claude-mem system and can only be exploited locally. Detection involves verifying the version of the claude-mem component and checking if the vulnerable function is present without the fix.

Since the vulnerability is in the hashing logic of the application, direct network detection commands are not applicable. Instead, you can check the installed version of claude-mem to determine if it is vulnerable.

  • Run a command to check the installed version of claude-mem, for example: `npx claude-mem --version` or check the package.json or installed package version if installed via npm or other package managers.
  • Inspect the source code file `src/services/sqlite/observations/store.ts` to see if the computeObservationContentHash function uses a null-byte delimiter ('\x00') between concatenated fields. Absence of this delimiter indicates the vulnerable version.

No specific network commands or scanning tools are mentioned for detecting this vulnerability.

Mitigation Strategies

The primary and sufficient mitigation step is to upgrade the claude-mem component to version 12.0.0 or later, where the vulnerability has been fixed.

This upgrade includes a patch that modifies the computeObservationContentHash function to use a null-byte delimiter between concatenated fields, preventing hash collisions and memory poisoning.

  • Upgrade claude-mem to version 12.0.0 by running the appropriate update command, such as reinstalling or updating via npm or the plugin marketplace.
  • Verify that the patch commit (f32fda8b35e9fe9329f87da65c31149362a03f97) is applied in your codebase if you maintain a custom build.

Since the attack requires local access and has high complexity, restricting local access and maintaining good privilege separation can also help reduce risk until the upgrade is applied.

Compliance Impact

The vulnerability involves the use of a weak hash function in the computeObservationContentHash function, which could lead to hash collisions and incorrect deduplication of observations.

Since the attack can only be executed locally and the exploitability is difficult, the risk of data integrity issues exists but is limited in scope.

Improper hashing and potential data integrity issues could impact compliance with standards like GDPR and HIPAA, which require ensuring data accuracy and integrity, but the provided information does not explicitly link this vulnerability to compliance failures.

Upgrading to version 12.0.0 fixes the issue by preventing hash collisions, which helps maintain data integrity and thus supports compliance efforts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart