Auth bypass in Usememos Memos

CVE-2024-21635

Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds th…

Vulnerability class: Broken Authentication

EPSS: 0.000 (15.5th percentile) — read the EPSS interpretation.

Affected products

Usememos Memos — versions <= 0.18.1

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2 (x_refsource_CONFIRM)