Please report security vulnerabilities through the GitHub Security Advisory tab:
Do not open a public GitHub issue for security vulnerabilities.
- Description of the vulnerability and its potential impact
- Steps to reproduce (proof of concept if possible)
- Affected versions
- Any suggested mitigations
- Acknowledgement: within 14 days of submission
- Fix: best-effort; critical issues prioritized
Only the latest commit on main receives security fixes.
| Version | Supported |
|---|---|
main (latest) |
Yes |
| Older tags | No |
In scope:
- Memory extraction prompt injection (
internal/capture/) - Authentication bypass in the HTTP API (
internal/api/) - Path traversal in the indexer (
internal/indexer/) - Arbitrary command execution via config loading
Out of scope:
- Vulnerabilities in Memgraph, Ollama, or the Anthropic API themselves
- Issues requiring physical access to the host machine
- Denial-of-service attacks against local services
After a fix is merged, we will publish a GitHub Security Advisory with full details.