| Version | Supported |
|---|---|
| 1.0.x | ✅ Active |
Please do NOT open a public GitHub issue for security vulnerabilities.
Use GitHub's private Security Advisory feature to report vulnerabilities confidentially.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your suggested fix (if any)
You will receive a response within 48 hours. If confirmed, a patch will be released within 7 days and you will be credited in the release notes.
- API binds to
127.0.0.1by default (not0.0.0.0) - CORS restricted to
localhostandchrome-extension:// - Extension communicates only with
localhost:8765 - No authentication (single-user local tool by design)
- No telemetry, no external calls by default
- All data stored in
~/.memoryos/(user-owned)
- Expose port 8765 to the internet without authentication
- Share your
~/.memoryos/directory - Set
HOST=0.0.0.0on a shared or public machine