Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The mem0 1.0.0 server exposes a memory creation endpoint (POST /memories) that lacks authentication and authorization checks. Users without verified credentials can submit arbitrary memory records, which the server accepts and stores without validation. This flaw allows attackers to inject malicious or spoofed memories, thereby corrupting the integrity of the dataset and potentially misleading other users who rely on the stored information.

Affected Systems

The vulnerability applies to installations of the mem0 server version 1.0.0. No specific vendor or product name is listed in the CVE data, and the deployment context (cloud, on‑premise, containerized) is not specified. Any instance running the affected version and exposing the endpoint is susceptible.

Risk and Exploitability

Attackers can exploit the flaw remotely by sending unauthenticated POST requests to the publicly accessible endpoint. The CVSS score of 5.3 indicates a medium severity, and the EPSS score of <1% suggests a low probability of exploitation at this time. The vulnerability is not included in CISA’s KEV catalog. Nonetheless, because the endpoint is reachable without authentication, any application exposed to the internet is at risk of data corruption by unauthorized actors.

Generated by OpenCVE AI on May 13, 2026 at 18:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy an updated mem0 release or patch that requires authentication and authorization for the POST /memories endpoint.
  • Configure network or firewall rules to restrict access to the endpoint to trusted IP ranges or require API keys.
  • Apply role‑based access control so that only users with the appropriate permissions can create memory records.
  • Validate and sanitize incoming memory data before storing it to prevent injection of malformed or malicious content.

Generated by OpenCVE AI on May 13, 2026 at 18:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cgx8-qgvr-f7vf mem0 server lacks authentication and authorization controls for its memory creation API endpoint
History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mem0
Mem0 mem0
CPEs cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*
Vendors & Products Mem0
Mem0 mem0

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Memory Creation Without Authentication in mem0 1.0.0

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Missing Authentication on mem0 Memory Creation Endpoint Allows Unauthorized Data Injection
Weaknesses CWE-284

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
CWE-862
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Mem0ai
Mem0ai mem0
Vendors & Products Mem0ai
Mem0ai mem0

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Missing Authentication on mem0 Memory Creation Endpoint Allows Unauthorized Data Injection
Weaknesses CWE-284

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution.
References

Subscriptions

Mem0 Mem0
Mem0ai Mem0
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:13:26.506Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31245

cve-icon Vulnrichment

Updated: 2026-05-13T13:13:21.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:16:53.010

Modified: 2026-05-14T18:39:12.690

Link: CVE-2026-31245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses