CVE-2026-13511 - Vulnerability Details

Description

A vulnerability was determined in VoltAgent up to 2.1.17. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a manipulation of the argument conversationId can lead to improper authorization. The attack may be performed from remote. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.

Published: 2026-06-28

Score: 2.3 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in VoltAgent’s Memory REST API allows a malicious requester to manipulate the conversationId argument, bypassing authorization controls and gaining unauthorized access to conversation data. The weakness aligns with CWE‑266 and CWE‑285, representing improper privilege management and improper authorization. The reported CVSS score of 2.3 indicates a low‑severity risk since the vulnerability does not lead to code execution or data exfiltration beyond the conversation boundaries but still permits privileged data disclosure to unauthenticated or low‑privilege users.

Affected Systems

All installations of VoltAgent up to and including version 2.1.17 are affected. The issue resides in the handleGetMemoryConversation function within the packages/server-core/src/handlers/memory.handlers.ts file and impacts the Memory REST API interface accessed through the VoltAgent application.

Risk and Exploitability

The attack vector is remote via the public REST API and requires manipulation of a query parameter; it is described as having high complexity with known difficulty of exploitation. An exploit has been publicly disclosed and may be utilized, and the vulnerability is not listed in CISA’s KEV catalog. The EPSS score is not available, suggesting low but uncertain exploitation probability. While the CVSS score is low, the potential impact on confidentiality for exposed conversation data warrants attention, especially if the endpoint is openly reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

VoltAgent

affected

Version	Status	Constraints
`2.1.0`	affected	—
`2.1.1`	affected	—
`2.1.2`	affected	—
`2.1.3`	affected	—
`2.1.4`	affected	—
`2.1.5`	affected	—
`2.1.6`	affected	—
`2.1.7`	affected	—
`2.1.8`	affected	—
`2.1.9`	affected	—
`2.1.10`	affected	—
`2.1.11`	affected	—
`2.1.12`	affected	—
`2.1.13`	affected	—
`2.1.14`	affected	—
`2.1.15`	affected	—
`2.1.16`	affected	—
`2.1.17`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest VoltAgent release when the fix is merged and the vulnerability is closed
Restrict access to the Memory REST API to authenticated and authorized users or specific IP ranges
Introduce server‑side validation for the conversationId parameter to ensure it matches the requesting user’s permissions

Generated by OpenCVE AI on June 28, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/VoltAgent/voltagent/
https://github.com/VoltAgent/voltagent/issues/1315
https://github.com/VoltAgent/voltagent/pull/1317
https://vuldb.com/cve/CVE-2026-13511
https://vuldb.com/submit/838873
https://vuldb.com/vuln/374519
https://vuldb.com/vuln/374519/cti

History

Sun, 28 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in VoltAgent up to 2.1.17. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a manipulation of the argument conversationId can lead to improper authorization. The attack may be performed from remote. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Title		VoltAgent Memory REST API memory.handlers.ts handleGetMemoryConversation improper authorization
First Time appeared		Voltagent Voltagent voltagent
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:voltagent:voltagent::::::::
Vendors & Products		Voltagent Voltagent voltagent
References		https://github.com/VoltAgent/voltagent/ https://github.com/VoltAgent/voltagent/issues/1315 https://github.com/VoltAgent/voltagent/pull/1317 https://vuldb.com/cve/CVE-2026-13511 https://vuldb.com/submit/838873 https://vuldb.com/vuln/374519 https://vuldb.com/vuln/374519/cti
Metrics		cvssV2_0 `{'score': 2.1, 'vector': 'AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Voltagent Voltagent

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-28T22:30:11.528Z

Updated: 2026-06-28T22:30:11.528Z

Reserved: 2026-06-28T06:28:57.591Z

Link: CVE-2026-13511

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T00:00:12Z

Weaknesses

CWE-266
Incorrect Privilege Assignment
CWE-285
Improper Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object