CVE-2026-11330: Weak Cryptographic Hash in thedotmack claude-mem—Patch to 12.0.0
A cryptographic weakness has been discovered in thedotmack claude-mem versions up to 11.0.1. The Observation Content Hash Handler component uses an insufficiently strong hashing algorithm when processing observation data, which could allow a local attacker with user-level access to manipulate or forge content hashes under specific conditions. This is a localized vulnerability with limited practical exploitability but should be remediated in environments where hash integrity is critical.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.6 LOW · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-327, CWE-328
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11330 involves the computeObservationContentHash function in src/services/sqlite/observations/store.ts, which employs a weak cryptographic hash for content verification. The vulnerability is constrained to local attack scenarios (AV:L), requires user-level privileges (PR:L), and has high complexity (AC:H), making opportunistic exploitation unlikely. The weakness falls under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-328 (Use of Insufficiently Random Values), indicating both algorithm choice and potential entropy issues. Version 12.0.0 introduces a cryptographically sound replacement, referenced by commit f32fda8b35e9fe9329f87da65c31149362a03f97.
Business impact
The integrity risk posed by weak hashing is situational. If observation data feeds downstream compliance or audit workflows, compromised hashes could undermine chain-of-custody claims or allow undetected tampering of records. However, the local-only attack surface and requirement for user credentials significantly reduce real-world risk in typical deployments. Organizations relying on claude-mem for data integrity guarantees should prioritize patching; those using it for non-critical observation logging may defer.
Affected systems
thedotmack claude-mem versions 11.0.1 and earlier are vulnerable. Version 12.0.0 and later contain the fix. No CVSS analysis was available for broader product ecosystems; the vulnerability is specific to this component's hash implementation.
Exploitability
Exploitation requires local system access and at least standard user privileges—a relatively high bar in most enterprise environments. The attack complexity rating of high reflects the need for specific preconditions and technical knowledge to craft meaningful hash collisions or forgeries. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public exploit tooling is known to exist, further reducing practical risk.
Remediation
Upgrade thedotmack claude-mem to version 12.0.0 or later. The patch replaces the weak hashing implementation with a stronger cryptographic function. No configuration changes or compensating controls are documented as necessary; patching is the definitive remediation.
Patch guidance
Apply version 12.0.0 as soon as practical, prioritizing systems where observation data integrity is mission-critical or subject to regulatory verification. Standard change-control processes suffice; no special pre-patch validation is required. Verify the patched binary or commit hash against vendor releases to confirm authenticity. Organizations on extended support should check vendor lifecycle policies, as version 12.0.0 may carry long-term support designation.
Detection guidance
Monitor file integrity or log access to src/services/sqlite/observations/store.ts in running instances. Establish baseline behavior for the computeObservationContentHash function using application performance monitoring (APM) tools. Hash collision or manipulation attempts are difficult to detect post-exploitation but may produce anomalies in observation audit trails. Implement change management controls to flag unexpected hash computation behavior or mismatches between stored and recalculated values.
Why prioritize this
Despite a CVSS score of 3.6 (LOW), this vulnerability warrants timely attention due to the integrity risk it poses to data workflows. It should not block other operational priorities but should be scheduled for the next routine patching cycle. Organizations with strict data integrity requirements or compliance obligations tied to hash verification should elevate priority.
Risk score, explained
The CVSS 3.1 score of 3.6 reflects the confluence of local-only access (reducing attack surface), high complexity (reducing likelihood), and limited impact (no confidentiality loss, partial integrity and availability impact). The score appropriately downgrades the risk despite the cryptographic nature of the flaw, as the prerequisites for successful exploitation are demanding.
Frequently asked questions
Can this vulnerability be exploited remotely or only locally?
Only locally. The attack vector is limited to users with direct access to the system running claude-mem. Remote exploitation is not feasible.
Do I need to do anything besides upgrade to version 12.0.0?
No. The patch is self-contained and requires only a straightforward component upgrade. No configuration changes, data migration, or compensating controls are necessary.
What should I do if I cannot upgrade immediately?
Restrict local user access to systems running vulnerable versions where feasible, use file system and process-level access controls to limit access to the Observation Content Hash Handler, and monitor hash computation activity. Plan an upgrade within your next standard maintenance window.
How does this affect the security of my observation data overall?
The vulnerability affects the cryptographic assurance of observation hashes, not the confidentiality of the data itself. If you rely on these hashes for integrity verification or audit purposes, the risk is more significant. For general observation logging, the practical impact is lower.
This analysis is based on public vulnerability data current as of the publication date. CVSS scores, affected versions, and patch availability are as reported by the vendor and CVE databases. Organizations should verify patch applicability and compatibility in their specific environments before deployment. No exploit code or weaponization details are provided. For the most current advisory information, consult the vendor's official security bulletins and your organization's vulnerability management policies. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10766LOWMLRun DataFrame Hash Weakness (CVSS 3.6)
- CVE-2026-10783LOWWeak Hash in Gradio Audio Cache – Risk Assessment & Patching Guide
- CVE-2026-10800LOWPaddlePaddle FastDeploy Weak Hash Vulnerability
- CVE-2026-10801LOWWeak Hash in ModelScope ms-swift PIL Image Cache
- CVE-2026-10803LOWMLflow Weak Hash Vulnerability in Dataset Digest Computation
- CVE-2026-10804LOWStreamlit Weak Hashing Vulnerability in Palette Handler (CVSS 3.6)
- CVE-2026-10812LOWGPTCache Weak Hash Vulnerability in Cache Key Handler (CVSS 3.6)
- CVE-2026-10813LOWLMCache Weak Hash Vulnerability in KV Cache Handler