CVE-2026-13511
Deferred Deferred - Pending Action

Improper Authorization in VoltAgent Memory REST API

Vulnerability report for CVE-2026-13511, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-28

Last updated on: 2026-06-29

Assigner: VulDB

Description

A vulnerability was determined in VoltAgent up to 2.1.17. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a manipulation of the argument conversationId can lead to improper authorization. The attack may be performed from remote. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-29
Generated
2026-07-19
AI Q&A
2026-06-29
EPSS Evaluated
2026-07-18
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
voltagent voltagent to 2.1.17 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in VoltAgent up to version 2.1.17, specifically in the function handleGetMemoryConversation within the Memory REST API component. It involves improper authorization caused by manipulation of the argument conversationId. An attacker can exploit this remotely, but the attack is complex and difficult to perform. The exploit has been publicly disclosed, and a fix is pending acceptance.

Detection Guidance

This vulnerability involves improper authorization in the VoltAgent Memory REST API, specifically through manipulation of the conversationId parameter. Detection can focus on monitoring API requests that include conversationId parameters to identify unauthorized access attempts.

To detect exploitation attempts, you can look for API calls where the conversationId does not belong to the authenticated user, which may indicate an Insecure Direct Object Reference (IDOR) attack.

Suggested commands include capturing and inspecting HTTP requests to the Memory REST API endpoints, for example using tools like curl or network monitoring tools such as tcpdump or Wireshark to filter requests containing conversationId parameters.

  • Use curl to test access with different conversationId values and observe if unauthorized data is returned.
  • Example curl command to test access: curl -H "Authorization: Bearer <token>" https://<voltagent-server>/memory/conversations/<conversationId>
  • Use network monitoring tools to filter HTTP requests containing 'conversationId' to detect suspicious access patterns.
Impact Analysis

Exploiting this vulnerability could allow an attacker to bypass proper authorization controls by manipulating the conversationId argument. This could potentially lead to unauthorized access to memory conversation data via the Memory REST API. However, the attack is considered highly complex and difficult to execute.

Compliance Impact

The vulnerability CVE-2026-13511 allows unauthorized access to other users' conversation data via the Memory REST API in VoltAgent. This improper authorization can lead to exposure of personal or sensitive information to unauthorized parties.

Such unauthorized data access can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data to protect user privacy and ensure data confidentiality.

By enabling cross-user data access without proper authorization, the vulnerability increases the risk of data breaches and non-compliance with these standards, potentially leading to legal and regulatory consequences.

Mitigation Strategies

Immediate mitigation involves enforcing strict authorization checks on all memory-related API operations to ensure that users can only access their own conversations.

Since the vulnerability arises from lack of validation of the conversationId against the authenticated user, you should update or patch the VoltAgent components to include user context validation and ownership checks.

If a patch is not yet accepted or available, consider restricting access to the Memory REST API endpoints to trusted users or networks, and monitor for suspicious activity.

  • Apply the fix from the pull request that enforces user authorization on memory operations once it is available.
  • Restrict API access via network controls or authentication mechanisms to minimize exposure.
  • Monitor logs for unauthorized access attempts and respond accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart