Impact
The vulnerability is an unauthenticated access flaw in mem0’s OpenMemory API. Attackers can read, write, and delete any user memory by calling API routers that were registered without user identifiers or using the dedicated memory retrieval endpoints, an attacker can exfiltrate private data. The same flaw also allows invocation of pause endpoints with a global_pauseof‑service for all users. Consequently the vulnerability compromises confidentiality, integrity, and availability of user data.
Affected Systems
The affected component is mem0’s OpenMemory API (mem0:mem0). No specific version information is provided, but the flaw exists in the current open‑source implementation as seen in the repository commit linked in the references. Any deployment that exposes the default API routes without authentication is susceptible.
Risk and Exploitability
The CVSS critical severity. The EPSS score is not reported, so the exploitation likelihood is unknown, yet the absence of authentication means an attacker can exploit the flaw from any network location that can reach the API. The vulnerability is not listed in the CISA KEV catalog. Attackers would need only to exposed endpoints; no special privileges or advanced techniques are required.
OpenCVE Enrichment