Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 1.0.0 server contains a flaw where the memory deletion API endpoint (DELETE /memories) does not enforce authentication or authorization. This omission means an unauthenticated attacker can supply any user identifiers as query parameters and delete memory records belonging to any user. The effect of such an operation is unauthorized deletion of data, resulting in data loss and potentially a denial of service for legitimate users.

Affected Systems

This vulnerability affects deployments of mem0 version 1.0.0. No specific vendor or product names are provided, and no official patch is currently available.

Risk and Exploitability

The exploitability of this flaw remains straightforward: it requires only the ability to send unauthenticated HTTP DELETE requests to the exposed API endpoint, which is feasible over a network. Because any user, run, or agent identifier can be specified, an attacker can target arbitrary records. The likely attack vector is remote network access. EPSS score of <1% and CVSS score of 6.5 indicate moderate severity, but combined with the absence of authentication/authorization controls (CWE-306, CWE-862) and the ease of exploitation, the overall risk remains high.

Generated by OpenCVE AI on May 13, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether your deployment is running mem0 version 1.0.0.
  • Consult the mem0 repository or contact the maintainers for a newer release that applies authentication or authorization controls to the DELETE /memories endpoint.
  • Until a fix is applied, restrict external access to the DELETE /memories endpoint by configuring network firewalls or a reverse proxy to require authentication.
  • Monitor HTTP logs for DELETE requests to detect misuse and consider disabling the endpoint if it is not required for normal operation.

Generated by OpenCVE AI on May 13, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gq6f-qwv9-rf4j mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mem0
Mem0 mem0
CPEs cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*
Vendors & Products Mem0
Mem0 mem0

Wed, 13 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Endpoint Enables Arbitrary Memory Deletion in mem0 1.0.0

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Deletion of Memory Records in mem0 Server
Weaknesses CWE-284

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
CWE-862
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Deletion of Memory Records in mem0 Server
Weaknesses CWE-284

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
References

Subscriptions

Mem0 Mem0
Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:48:33.720Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31241

cve-icon Vulnrichment

Updated: 2026-05-13T13:48:29.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:16:52.557

Modified: 2026-05-14T18:34:56.720

Link: CVE-2026-31241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:00:06Z

Weaknesses