Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 1.0.0 server contains a flaw where the memory deletion API endpoint (DELETE /memories) does not enforce authentication or authorization. This omission means an unauthenticated attacker can supply any user identifiers as query parameters and delete memory records belonging to any user. The effect of such an operation is unauthorized deletion of data, resulting in data loss and potentially a denial of service for legitimate users.

Affected Systems

This vulnerability affects deployments of mem0 version 1.0.0. No specific vendor or product names are provided, and no official patch is currently available.

Risk and Exploitability

The exploitability of this flaw is straightforward: it requires only the ability to send unauthenticated HTTP DELETE requests to the exposed API endpoint, which is feasible over a network. Because any user, run, or agent identifier can be specified, an attacker can target arbitrary records. The likely attack vector is remote network access. With no EPSS, CVSS, or KEV data available, the risk is assessed as high based on the severity of the impact and the low barrier to exploitation.

Generated by OpenCVE AI on May 12, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether your deployment is running mem0 version 1.0.0.
  • Consult the mem0 repository or contact the maintainers for a newer release that applies authentication or authorization controls to the DELETE /memories endpoint.
  • Until a fix is applied, restrict external access to the DELETE /memories endpoint by configuring network firewalls or a reverse proxy to require authentication.
  • Monitor HTTP logs for DELETE requests to detect misuse and consider disabling the endpoint if it is not required for normal operation.

Generated by OpenCVE AI on May 12, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Deletion of Memory Records in mem0 Server
Weaknesses CWE-284

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
References

Subscriptions

Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T17:20:55.541Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31241

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:16:52.557

Modified: 2026-05-12T18:16:52.557

Link: CVE-2026-31241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:00:20Z

Weaknesses