CVE-2026-31243 - Vulnerability Details

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service.

Published: 2026-05-12

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mem0 1.0.0 server allows unauthenticated users to issue a DELETE request to the /memories endpoint, which triggers a memory reset operation that internally executes a CREATE TABLE SQL statement. This flaw can lead to unintended table recreation, disruption of the database schema, potential data loss for stored memories, and availability problems for the memory management service.

Affected Systems

The affected product is mem0 version 1.0.0. No vendor or additional product information is provided.

Risk and Exploitability

The vulnerability can be exploited remotely by any attacker capable of sending HTTP requests to the mem0 server. Without authentication or authorization controls on the DELETE /memories endpoint, an attacker can trigger the reset operation and cause database schema changes, data loss, and denial of service. It carries a CVSS score of 6.5, indicating moderate severity, while the EPSS score is less than 1% and it is not listed in CISA KEV. The exploitability therefore relies on the attacker’s ability to reach the mem0 service over the network and send a crafted DELETE request.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mem0ai

Mem0

80%

Version	Status	Scheme	Platform
`1.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade mem0 to a version that implements proper authentication and authorization for the /memories endpoint
If an upgrade is unavailable, restrict or block unauthenticated access to the DELETE /memories API using network firewall rules or API gateway authentication
As a temporary workaround, disable or remove the memory reset functionality in the server configuration to prevent the execution of the CREATE TABLE operation

Generated by OpenCVE AI on May 13, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00164.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/mem0ai/mem0
https://www.notion.so/CVE-2026-31243-35d1e139318881c6a6cffbe366c238a6

History

Thu, 14 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mem0 Mem0 mem0
CPEs		cpe:2.3:a:mem0:mem0:1.0.0:::::::*
Vendors & Products		Mem0 Mem0 mem0

Wed, 13 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title	Unauthenticated DELETE Endpoint Triggers Memory Reset and Table Re‑creation in mem0, Causing Data Loss and Denial of Service
Weaknesses	CWE-284 CWE-693

Wed, 13 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306 CWE-862
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mem0ai Mem0ai mem0
Vendors & Products		Mem0ai Mem0ai mem0

Tue, 12 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated DELETE Endpoint Triggers Memory Reset and Table Re‑creation in mem0, Causing Data Loss and Denial of Service
Weaknesses		CWE-284 CWE-693

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service.
References		https://github.com/mem0ai/mem0 https://www.notion.so/CVE-2026-31243-35d1e139318881c6a6cffbe366c238a6

Subscriptions

Mem0 Mem0

Mem0ai Mem0

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-12T00:00:00.000Z

Updated: 2026-05-13T13:44:02.759Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31243

Vulnrichment

Updated: 2026-05-13T13:43:58.606Z

NVD

Status : Analyzed

Published: 2026-05-12T18:16:52.783

Modified: 2026-05-14T18:38:15.123

Link: CVE-2026-31243

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T18:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object