Missing Authentication for Critical Function Affecting neotoma package, versions >=0.6.0 <0.11.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NEOTOMA-17817060
  • published4 Jul 2026
  • disclosed18 May 2026
  • creditUnknown

Introduced: 18 May 2026

CVE-2026-45577  (opens in a new tab)
CWE-288  (opens in a new tab)
CWE-306  (opens in a new tab)

How to fix?

Upgrade neotoma to version 0.11.1 or higher.

Overview

neotoma is a MCP server for structured personal data memory with unified source ingestion

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the authentication middleware. An attacker can gain unauthorized access to sensitive data and functionality by sending requests through a reverse proxy or same-host tunnel that forwards traffic to the Node process over loopback, causing the application to treat unauthenticated public requests as local. This is only exploitable if the deployment is public and configured behind a reverse proxy or tunnel that forwards requests to the application over a loopback interface.

CVSS Base Scores

version 4.0
version 3.1