Description
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. This results in the deletion of the entire memory database table, causing catastrophic data loss and a complete denial of service for all users of the service.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 v1.0.0 server exposes a DELETE /memories endpoint without any authentication or authorization checks. This flaw allows an unauthenticated user to trigger a reset operation that executes a DROP TABLE SQL statement, erasing the entire memory database. Consequently, all stored data is lost and the service becomes unavailable to all users, constituting a severe data loss and a complete denial of service.

Affected Systems

The vulnerability affects the mem0 v1.0.0 server. No other vendors or product versions are known to be impacted at this time. It is inferred that older releases that retain the same unauthenticated DELETE /memories endpoint may also be affected, but no explicit confirmation is available.

Risk and Exploitability

Because the exploit requires only an unauthenticated HTTP DELETE request, the attack vector is remote over the network. The lack of authentication makes the vulnerability trivially exploitable once the endpoint is reachable. A successful attack results in immediate data destruction and service outage, which would be catastrophic for any organization relying on the mem0 service. No exploitation probability score is available and the vulnerability is not listed in the CISA KEV catalog, but the high impact and ease of exploitation warrant urgent attention.

Generated by OpenCVE AI on May 12, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest mem0 release that implements proper authentication and authorization for the DELETE /memories endpoint
  • If an update is not immediately available, block external access to the DELETE /memories endpoint using firewall or reverse‑proxy rules, allowing only trusted hosts to reach it
  • Monitor HTTP logs for any DELETE /memories requests and investigate suspicious activity promptly

Generated by OpenCVE AI on May 12, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated DELETE /memories Triggers Database Drop
Weaknesses CWE-276
CWE-285

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. This results in the deletion of the entire memory database table, causing catastrophic data loss and a complete denial of service for all users of the service.
References

Subscriptions

Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T17:22:34.941Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31242

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:16:52.677

Modified: 2026-05-12T18:16:52.677

Link: CVE-2026-31242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses