Cognee, an AI memory/knowledge-graph framework, contains a critical improper access control flaw (CVSS 9.1) that lets any unauthenticated attacker hijack the instance-wide LLM provider configuration and siphon off every user's data.
What Is It
CVE-2026-58473 is an improper access control vulnerability (CWE-306, CWE-862) in Cognee before version 1.2.0. An attacker can self-register an account and call the settings endpoint, which performs no admin or superuser check, to overwrite the global LLM provider configuration. Because Cognee relies on a process-wide singleton configuration cache, this single unauthorized change redirects all LLM operations across the entire instance to an attacker-controlled endpoint.
Why It Matters
Rated CRITICAL with a CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), the flaw is network-exploitable with low complexity and requires no privileges or user interaction. By pointing all LLM traffic at their own endpoint, an attacker can exfiltrate prompts, uploaded documents, extracted entities, and knowledge graph content belonging to every user on the instance; a full-instance confidentiality and integrity compromise from an anonymous starting position.
What's Vulnerable
- Vendor: topoteretes
- Product: Cognee
- Affected versions: All versions before 1.2.0
The vulnerability lives in the settings endpoint, which fails to enforce any administrative authorization before accepting configuration changes.
Patch Status
The issue is fixed in Cognee 1.2.0. Affected users should upgrade to version 1.2.0 or later immediately; the fix is delivered in commit d10b1b7 and tagged in the v1.2.0 release. The supplied source material contains no CISA KEV entry for this CVE, so there is no confirmation of active exploitation at this time.