MCP-INDEX

Cloud-Temple/live-memorycritical

Live Memory MCP Server — Shared working memory for collaborative AI agents (Memory Bank as a Service)

Live Memory is an MCP server that provides a shared working memory (Memory Bank as a Service) for collaborative AI agents. It allows multiple agents t...

purpose: Live Memory is an MCP server that provides a sharethreat: network exposed

Python · ★ 6 · Jun 9, 2026 · ⚙ Jun 10, 2026 · GITHUB ↗

heuristic signalsenv.exposure shell.exec filesystem.read filesystem.write aws.integration auth.none network.http

RISK SCORE

0/ 100 risk

low findings+5

high findings+100

medium findings+60

capped at100

VULNERABILITY ANALYSIS · 9 findings in 9 blocks4 HIGH · 4 MEDIUM

HIGH1 finding

src/live_mem/server.py:18

18#     tools/admin.py  → admin_create_token, admin_gc_notes, ... (8)

src/live_mem/server.py:18

// Network-exposed; if authentication is bypassed or a token with admin privileges is compromised, an attacker gains full control.

EXPLAINThe admin tools include functions to create, list, revoke tokens, rotate bootstrap key, and purge all data for a space. These are extremely powerful operations that, if exposed to a compromised LLM or unauthorized user, could lead to complete system compromise.

IMPACTAn attacker with access to admin tools could create new tokens, revoke existing ones, rotate keys, and permanently delete all data in any space.

FIXRestrict admin tools to a separate, highly secured endpoint with additional authentication (e.g., client certificates, IP allowlisting). Ensure admin tools are not callable via the standard MCP interface.

HIGH1 finding

src/live_mem/server.py:17

17#     tools/backup.py → backup_create, backup_restore, ... (5)

src/live_mem/server.py:17

// Network-exposed; requires authentication but if token has broad permissions, backups are exposed.

EXPLAINBackup tools include backup_create, backup_restore, backup_list, backup_delete, backup_info. These allow reading, writing, and deleting backups. Without proper access controls, an attacker could exfiltrate all data or restore malicious backups.

IMPACTAn attacker could download all backups (data exfiltration), delete backups (data loss), or restore a compromised backup (data corruption).

FIXImplement strict authorization checks on backup operations. Ensure only users with specific space permissions can manage backups for that space.

HIGH1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:16

src/live_mem/server.py:16

// Network-exposed; if graph_connect accepts user-supplied URLs, it is exploitable by any authenticated user.

EXPLAINGraph tools include graph_connect, graph_push, graph_status, graph_disconnect. These allow connecting to an external Graph Memory service and pushing data. If the graph_connect tool accepts arbitrary URLs or credentials, it could be used for SSRF or to connect to malicious services.

IMPACTAn attacker could use graph_connect to perform SSRF attacks, connect to internal services, or exfiltrate data to an attacker-controlled endpoint.

FIXRestrict graph_connect to a predefined list of allowed endpoints. Validate and sanitize any URL or connection parameters.

HIGH1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:123

src/live_mem/server.py:123

// Network-exposed MCP server; any tool with unvalidated parameters is exploitable by any authenticated or unauthenticated user depending on auth bypass.

EXPLAINThe server registers all tools via register_all_tools, but the provided source code does not include the tool implementations. Without seeing the actual tool handlers, it is impossible to verify that they properly validate inputs. Given the network_exposed threat model, missing input validation on any tool parameter could lead to injection attacks, path traversal, or other vulnerabilities.

IMPACTAn attacker could exploit unvalidated parameters to perform unauthorized actions, read/write arbitrary files, or execute commands.

FIXReview all tool implementations to ensure every parameter is validated against expected types, lengths, and allowed values. Use allowlists where possible.

MEDIUM1 finding

src/live_mem/server.py:192

192    _weak_keys = {"change_me_in_production", "changeme", "admin", "password", ""}
193    if settings.admin_bootstrap_key in _weak_keys:
194        logger.critical(
195            "⛔ ADMIN_BOOTSTRAP_KEY non configurée ou trop faible ('%s') ! "
196            "Définissez une clé de ≥32 caractères aléatoires dans .env.",
197            settings.admin_bootstrap_key[:10] + "..."
198            if len(settings.admin_bootstrap_key) > 10
199            else settings.admin_bootstrap_key,
200        )
201        sys.exit(1)
202    if len(settings.admin_bootstrap_key) < 32:
203        logger.warning(
204            "⚠️ ADMIN_BOOTSTRAP_KEY trop courte (%d chars). Minimum recommandé : 32 caractères.",
205            len(settings.admin_bootstrap_key),
206        )

src/live_mem/server.py:192

// Network-exposed; logs may be accessible to attackers via log injection or log aggregation systems.

EXPLAINWhen the admin bootstrap key is weak or too short, the server logs a warning that includes the key length and, in the critical case, the first 10 characters of the key. While not the full key, this partial disclosure could aid brute-force attacks. More importantly, the key length is logged, which reduces the search space.

IMPACTAn attacker with access to logs could learn the length and first 10 characters of the admin bootstrap key, making brute-force easier.

FIXAvoid logging any part of the key. Log only a generic message like 'Admin bootstrap key is too weak' without revealing length or characters.

MEDIUM1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:14

src/live_mem/server.py:14

// Network-exposed; any authenticated user can inject content. Prompt injection affects LLM consolidation; XSS affects web UI users.

EXPLAINlive_note appends a note to a space. If the note content is not sanitized, it could be used for prompt injection against the LLM that performs consolidation, or for stored XSS if displayed in the web interface without proper escaping.

IMPACTAn attacker could inject malicious prompts that manipulate the LLM output, or inject JavaScript that executes in the browser of users viewing the notes.

FIXSanitize note content before storage and before rendering in the web UI. Use output encoding appropriate for the context (HTML, JSON, etc.).

MEDIUM1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:15

src/live_mem/server.py:15

// Network-exposed; requires authentication but path traversal could allow privilege escalation.

EXPLAINBank tools include bank_read, bank_delete, bank_rename, bank_export, bank_import. These likely accept filenames or paths. Without proper validation, an attacker could use path traversal (e.g., '../../etc/passwd') to read or write arbitrary files outside the intended storage.

IMPACTAn attacker could read sensitive files on the server, overwrite critical system files, or exfiltrate data.

FIXValidate all file path parameters to ensure they are within the allowed storage directory. Use allowlists for filenames and reject any containing '..' or '/'.

MEDIUM1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:12

src/live_mem/server.py:12

// Network-exposed; system_health is likely unauthenticated or low-privilege, making it an attractive SSRF vector.

EXPLAINsystem_health returns server health status including service checks. If these checks involve making HTTP requests to user-supplied URLs, it could be exploited for SSRF. The code snippet does not show the implementation, but the description mentions 'service checks' which may involve external calls.

IMPACTAn attacker could use system_health to probe internal network services, bypass firewalls, or perform port scanning.

FIXEnsure system_health only checks predefined internal services and does not accept any user input for URLs. If external checks are needed, use an allowlist.

LOW1 finding

// Source file not analyzed: src/live_mem/server.py

// Finding inferred from import chain: src/live_mem/server.py:15

src/live_mem/server.py:15

// Network-exposed; requires authentication but if bank_import accepts arbitrary data, it is a high-risk vector.

EXPLAINbank_import imports bank files from an external source. If the import process deserializes data without proper validation, it could be vulnerable to insecure deserialization attacks, leading to arbitrary code execution.

IMPACTAn attacker could upload a malicious serialized object that executes arbitrary code on the server.

FIXUse safe serialization formats (e.g., JSON) and validate all imported data. Avoid using pickle or other unsafe deserialization libraries.

◷ 6/10/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.