Skip to main content

Mem0 CVE-2026-49948

| EUVD-2026-35449 HIGH
Missing Authorization (CWE-862)
2026-06-09 VulnCheck GHSA-hp66-92p5-jh23
Authentication Bypass PostgreSQL
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 09, 2026 - 16:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jun 09, 2026 - 16:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Source Code Evidence Fetched
Jun 09, 2026 - 15:48 vuln.today
Analysis Generated
Jun 09, 2026 - 15:48 vuln.today
CVE Published
Jun 09, 2026 - 14:58 nvd
HIGH 8.1

DescriptionCVE.org

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

AnalysisAI

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Mem0 API key
Delivery
Reach /configure over network
Exploit
POST malicious LLM/embedder URLs
Execution
Config persisted to PostgreSQL
Persist
All tenants' traffic proxied to attacker
Impact
Exfiltrate prompts and memories, inject responses
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the Mem0 self-hosted server's HTTP API, and (2) possession of any valid JWT or X-API-Key - including a low-privilege 'distributed' API key with no administrative role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 8.6 is consistent with the vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N: network-reachable, low complexity, requires only low-privilege authentication (any distributed API key), no user interaction, and yields high confidentiality and integrity impact while leaving availability untouched. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid distributed Mem0 API key - for example, a low-tier tenant on a shared SaaS instance - sends a single authenticated POST /configure request that points the LLM and embedder base URLs at a server they control. From that moment, every prompt, memory write, and embedding request from any user on the instance is routed through the attacker, who silently logs sensitive data and can return manipulated responses; the setting survives restarts because it is written to PostgreSQL, and a public PoC for this flow is referenced in the upstream issue tracker.
Remediation Upgrade to the Mem0 build containing the fix commit ae7f4062652df1376990221101d1adbb0819c973 (merged via PR https://github.com/mem0ai/mem0/pull/5360); this is an upstream fix available as a commit, and a tagged release version beyond 0.2.8 is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Verify current Mem0 version and if ≤0.2.8, restrict API key usage or isolate from production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-48031 CRITICAL
9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
CVE-2026-49498 HIGH
8.7 Jun 10

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users t
CVE-2026-52758 HIGH
8.7 Jun 10

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers

CVE-2026-11400 HIGH
8.6 Jun 05

Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a re

Share

CVE-2026-49948 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy