Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit this by sending unauthenticated requests to modify, overwrite, or delete arbitrary memory records, leading to unauthorized data manipulation and potential data loss.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 1.0.0 server exposes its memory management API endpoints without any authentication or authorization checks. This allows a remote actor to send unauthenticated requests to perform critical functions such as updating memory records (PUT /memories/{memory_id}). The result is that an attacker can modify, overwrite, or delete arbitrary memory records, leading to unauthorized data manipulation and potential loss of data. This flaw represents a serious compromise of data integrity and confidentiality for any system that relies on mem0 for persistent storage.

Affected Systems

The vulnerability affects the mem0 1.0.0 server. No other vendor or product information is listed in the CVE data.

Risk and Exploitability

Because the API is openly exposed, the attack vector would be unauthenticated HTTP requests to the network. The CVSS score of 7.5 indicates a high severity, underscoring the potential to compromise data integrity and availability. The EPSS score of less than 1%, however, signals that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the absence of authentication and authorization checks remains a significant weakness (CWE‑306).

Generated by OpenCVE AI on May 15, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement authentication and authorization on all memory management endpoints, ensuring that only verified users with appropriate roles can perform modifications.
  • Restrict external exposure of the mem0 API by placing it behind a firewall or VPN, allowing only internal or trusted networks to access the endpoints.
  • Enable comprehensive logging of all mutations to memory records and monitor for unauthorized access attempts, generating alerts on abnormal activity.

Generated by OpenCVE AI on May 15, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfv9-68m5-gjjr mem0 server lacks authentication and authorization controls for its memory management API endpoints
History

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Mem0 Server Missing Authentication on Memory Management API

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Unauthenticated Memory Management API
Weaknesses CWE-284
CWE-639

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Unauthenticated Memory Management API
Weaknesses CWE-284
CWE-639

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit this by sending unauthenticated requests to modify, overwrite, or delete arbitrary memory records, leading to unauthorized data manipulation and potential data loss.
References

Subscriptions

Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T19:54:13.934Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31240

cve-icon Vulnrichment

Updated: 2026-05-14T16:50:04.396Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:16:52.443

Modified: 2026-05-14T20:17:03.757

Link: CVE-2026-31240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T01:00:16Z

Weaknesses