Skip to main content

mem0 Server CVE-2026-31243

| EUVDEUVD-2026-29566 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 cve@mitre.org GHSA-gr7h-9xmf-cp53
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:59 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
May 12, 2026 - 18:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 18:16 nvd
MEDIUM 6.5

DescriptionCVE.org

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service.

AnalysisAI

mem0 1.0.0 server allows unauthenticated remote attackers to trigger memory reset and table re-creation via unprotected DELETE /memories endpoint, causing schema disruption, data loss, and denial of service. The vulnerability exploits missing authentication and authorization controls on a database management operation accessible over the network without credentials.

Technical ContextAI

mem0 is a memory management service that exposes HTTP endpoints for managing persistent data. The DELETE /memories endpoint directly triggers database operations including CREATE TABLE SQL statements without validating client identity or permissions. This violates the principle of least privilege and CWE-862 (Missing Authorization), where sensitive operations lack access controls. The HTTP protocol allows network-based access, and the unauthenticated nature (PR:N in CVSS) means no credentials are required to invoke the vulnerable endpoint.

RemediationAI

Immediate mitigation: upgrade to a patched version of mem0 beyond 1.0.0 (exact version not specified in available references; check https://github.com/mem0ai/mem0 for latest release). Until patching is available, implement network-level controls by restricting access to the DELETE /memories endpoint to authenticated internal clients only using a reverse proxy or API gateway (e.g., requiring Bearer token validation, IP whitelisting). Additionally, disable or restrict the DELETE /memories endpoint entirely if the reset functionality is not required for operational use. For defense-in-depth, enable database-level transaction logging and implement alerting on CREATE TABLE operations to detect unauthorized schema modifications. Validate that HTTP requests to sensitive endpoints include authentication credentials before processing, and consider implementing rate limiting on the DELETE endpoint to mitigate rapid, automated exploitation attempts.

Share

CVE-2026-31243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy