Login Sign Up

CVE-2024-21635

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Memos note-taking service allows attackers to maintain access to compromised accounts even after users change their passwords. Access tokens created before password changes remain valid, enabling persistent unauthorized access. All Memos users up to version 0.18.1 are affected.

💻 Affected Systems

Products:
  • Memos
Versions: Up to and including 0.18.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Memos deployments using Access Token authentication are vulnerable regardless of configuration.

📦 What is this software?

Memos by Usememos

View all CVEs affecting Memos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover with persistent access despite password changes, allowing attackers to read, modify, or delete all user notes and data indefinitely.

🟠

Likely Case

Unauthorized access to sensitive notes and personal data, with attackers maintaining access until manually discovered and tokens revoked.

🟢

If Mitigated

Minimal impact if users manually review and delete suspicious access tokens immediately after password changes.

🌐 Internet-Facing: HIGH - Memos is designed as a web-accessible service, making internet-facing instances directly vulnerable to this authentication bypass.
🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable but have reduced attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial account compromise (stolen credentials) but token persistence is trivial once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates and apply when released.

🔧 Temporary Workarounds

Manual Token Review and Deletion

all

Manually review all access tokens after password changes and delete any suspicious or unrecognized tokens

Access Memos web interface > Settings > Access Tokens > Review and delete suspicious tokens

🧯 If You Can't Patch

  • Implement mandatory token review process after every password change
  • Enable multi-factor authentication if available to reduce initial compromise risk

🔍 How to Verify

Check if Vulnerable:

Check Memos version via web interface or configuration files. If version ≤ 0.18.1, system is vulnerable.

Check Version:

Check web interface Settings > About or examine package/container version

Verify Fix Applied:

Test by creating an access token, changing password, and verifying old token becomes invalid (should fail authentication).

📡 Detection & Monitoring

Log Indicators:

  • Multiple access token creations from different IPs
  • Password change events followed by successful authentication with old tokens

Network Indicators:

  • Authentication requests using tokens created before password changes

SIEM Query:

source="memos" AND (event="password_change" OR event="token_auth") | stats count by user, token_age

📊 Metadata

CVE ID: CVE-2024-21635
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-287
EPSS Score: 0.04% exploit probability (13.2th percentile)
Published: November 14, 2025
Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21635, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)