Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 server version 1.0.0 contains a missing authentication and authorization check on the memory creation endpoint (POST /memories). Unauthenticated users can submit arbitrary memory records, which the server stores in the database without verifying identity or permissions. Attackers can thus inject malicious or spoofed memories, leading to data pollution and potentially corrupting user data integrity. The weakness is an improper authorization flaw that allows unauthorized creation of resources.

Affected Systems

Specific affected vendors, product names, and versions are not listed in the CVE data. The vulnerability pertains to the mem0 server component, but the precise deployment context (e.g., cloud hosting, on-premise installation) is unknown.

Risk and Exploitability

The vulnerability can be exploited remotely by sending crafted POST requests to the exposed endpoint. There is no published CVSS score; the EPSS is unavailable, and the issue is not listed in CISA’s KEV catalog. Nevertheless, because the endpoint is publicly reachable without authentication, the potential impact is high if the application is exposed to the internet. Attackers can inject data without needing elevated privileges, indicating a risk of widespread data corruption potentially affecting all users of the affected instance.

Generated by OpenCVE AI on May 12, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement authentication and authorization for the POST /memories endpoint, ensuring only verified users with appropriate permissions can create memory records.
  • Apply role‑based access control or similar mechanisms so that only designated roles can submit memory entries, and log all creation attempts for audit.
  • Validate and sanitize input data before storing it to prevent injection of malformed or malicious records.

Generated by OpenCVE AI on May 12, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Missing Authentication on mem0 Memory Creation Endpoint Allows Unauthorized Data Injection
Weaknesses CWE-284

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution.
References

Subscriptions

Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T17:25:07.098Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:16:53.010

Modified: 2026-05-12T18:16:53.010

Link: CVE-2026-31245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:30:06Z

Weaknesses