BACK TO SEARCH
vincentspereira/Enhanced-Cogneecritical
Enterprise-grade AI memory infrastructure - Enhanced fork of Cognee with PostgreSQL, Qdrant, Neo4j, Redis, and MCP server
This MCP server provides an enterprise-grade AI memory infrastructure, acting as an enhanced fork of Cognee. It integrates PostgreSQL, Qdrant, Neo4j, ...
purpose: This MCP server provides an enterprise-grade AI methreat: network exposed
RISK SCORE
0/ 100 risk
low findings+5
high findings+50
medium findings+45
capped at100
VULNERABILITY ANALYSIS · 6 findings in 5 blocks2 HIGH · 3 MEDIUM
HIGH2 findings
src/enhanced_cognee_mcp.py:714
714 @self.app.post("/memory/add")
715 async def add_memory_endpoint(entry: MemoryEntry):
716 """MCP Tool: Add memory entry"""
717 return {"id": await self.add_memory(entry)}MEDIUM1 finding
src/enhanced_cognee_mcp.py:890
890 @self.app.get("/health")
891 async def health_check():
892 """Health check endpoint with Enhanced stack status"""
893 health = {
894 "status": "healthy",
895 "enhanced_mode": config.enhanced_mode,
896 "timestamp": datetime.now(timezone.utc).isoformat(),
897 "stack": {
898 "postgresql": f"{config.postgres_host}:{config.postgres_port}",
899 "qdrant": f"{config.qdrant_host}:{config.qdrant_port}",
900 "neo4j": config.neo4j_uri,
901 "redis": f"{config.redis_host}:{config.redis_port}",
902 },
903 "categories": {
904 "enabled": config.memory_categorization,
905 "count": len(config.category_prefixes),
906 "configured": list(config.category_prefixes.keys()) if config.category_prefixes else []
907 }
908 }src/enhanced_cognee_mcp.py:890
// Network-exposed MCP server; the /health endpoint is unauthenticated and accessible to anyone.
EXPLAINThe /health endpoint is explicitly excluded from API key authentication (line 210-211) and exposes internal hostnames, ports, and configuration details (e.g., PostgreSQL host/port, Qdrant host/port, Neo4j URI, Redis host/port, category prefixes). This information can be used by an attacker to map the internal network and target specific services.
IMPACTAn attacker can discover internal infrastructure details, including database hosts and ports, which aids in planning further attacks (e.g., direct database connection attempts, network reconnaissance).
FIXRemove sensitive configuration details from the health endpoint or require authentication for it. Only expose minimal status information (e.g., 'healthy'/'unhealthy').
MEDIUM1 finding
src/enhanced_cognee_mcp.py:622
622 async def add_knowledge_relation(self, relation: KnowledgeRelation) -> str:
623 """Add knowledge graph relation using Neo4j"""
624 try:
625 with self.neo4j_driver.session(database=config.neo4j_database) as session:
626 # Create nodes if they don't exist
627 session.run("""
628 MERGE (source:Entity {name: $source_name})
629 MERGE (target:Entity {name: $target_name})
630 """, source_name=relation.source_entity, target_name=relation.target_entity)src/enhanced_cognee_mcp.py:622
// Network-exposed MCP server; an attacker can call /knowledge/add_relation with arbitrary entity names.
EXPLAINThe add_knowledge_relation method uses parameterized queries, which prevents Cypher injection. However, there is no validation on the source_entity, target_entity, or relationship_type fields. These values are used as node names and relationship types in Neo4j. While injection is prevented, lack of validation could allow creation of nodes with unexpected names or properties, potentially polluting the graph or causing errors.
IMPACTAn attacker could create nodes with arbitrary names, potentially overwriting existing nodes or creating misleading relationships. This could corrupt the knowledge graph and affect downstream applications.
FIXValidate source_entity, target_entity, and relationship_type using allowlists or regex patterns (e.g., alphanumeric and underscores only) before passing to Neo4j.
MEDIUM1 finding
src/enhanced_cognee_mcp.py:39
39 self.postgres_password = os.getenv("POSTGRES_PASSWORD", "cognee_password")
40 self.qdrant_api_key = os.getenv("QDRANT_API_KEY")
41 self.neo4j_password = os.getenv("NEO4J_PASSWORD", "cognee_password")
42 self.redis_password = os.getenv("REDIS_PASSWORD")src/enhanced_cognee_mcp.py:39-66
// Network-exposed MCP server; health endpoint reveals host/port, and default credentials may be used if not changed.
EXPLAINDatabase passwords and API keys are loaded from environment variables with hardcoded defaults (e.g., 'cognee_password'). While not directly exposed in the health endpoint, the health endpoint reveals host/port information that, combined with default credentials, could allow an attacker to connect directly to the databases if they are network-accessible.
IMPACTAn attacker who gains access to the environment or discovers default credentials could connect directly to PostgreSQL, Neo4j, Qdrant, or Redis, leading to data breach or manipulation.
FIXUse strong, unique passwords for each service. Avoid hardcoded defaults. Consider using a secrets manager. Ensure databases are not exposed to the public internet.
LOW1 finding
src/enhanced_cognee_mcp.py:973
973 host = os.getenv("ENHANCED_HTTPS_HOST", "0.0.0.0")
974 port = int(os.getenv("ENHANCED_HTTPS_PORT", "8080"))src/enhanced_cognee_mcp.py:973
// Network-exposed MCP server; default binding to 0.0.0.0 exposes the service to the network.
EXPLAINThe server defaults to binding on 0.0.0.0, making it accessible from all network interfaces. For a local-only MCP server intended for use with Claude Code, this exposes the service to the network unnecessarily.
IMPACTIf the server is deployed on a machine with a public IP or in a shared network, it could be accessed by unauthorized parties. Combined with other vulnerabilities, this increases the attack surface.
FIXChange the default host to '127.0.0.1' to bind only to localhost. Document that users should set ENHANCED_HTTPS_HOST to '0.0.0.0' only if remote access is required.
◷ 5/29/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.