Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary code via manipulation of the faiss.py vector store module. The vulnerability affects the pickle.load/pickle.dump functions used to serialize docstore data, enabling code execution with moderate impact (confidentiality, integrity, availability). Public exploit code is available, and vendor has released a patched version.
Technical ContextAI
The mem0 vector store implementation uses Python's pickle module to serialize and deserialize FAISS index metadata (docstore and index_to_id mappings) in mem0/vector_stores/faiss.py. Pickle is inherently unsafe for untrusted data because it can deserialize arbitrary Python objects and execute code during unpickling. An attacker who can control the pickled file contents-either by manipulating stored vector data or intercepting file operations-can craft a malicious pickle payload that executes arbitrary Python code when loaded. This is a textbook example of CWE-502 (Deserialization of Untrusted Data). The fix introduces a SafeUnpickler class that whitelists only safe built-in Python types (dict, list, str, int, float, bool, tuple, set, frozenset, NoneType) and rejects any attempt to instantiate arbitrary classes, effectively neutering the deserialization attack vector while maintaining backward compatibility with existing pickle files.
RemediationAI
Upgrade mem0 to version 1.0.12 or later, which includes commit 62dca096f9236010ca15fea9ba369ba740b86b7a containing the SafeUnpickler implementation. The fix maintains backward compatibility by attempting to load from JSON format first (safe), then falling back to SafeUnpickler for legacy pickle files, with automatic migration to JSON format on load. For users unable to upgrade immediately: (1) restrict write access to vector store files (.pkl, .json) to trusted processes only, implementing file-system level ACLs; (2) disable or restrict APIs that allow uploading or modifying vector data if possible, as the attack surface requires either file-system write access or authenticated API calls; (3) monitor vector store directories for unauthorized modifications. Note that these controls do not prevent exploitation if an attacker has authenticated API access-they only reduce surface area. Patching is the definitive mitigation. The auto-migration to JSON on first load after patching eliminates pickle usage, providing defense in depth against future pickle-related vulnerabilities.
Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed
Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api compon
Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote
Unauthenticated deletion of arbitrary memory records in mem0 1.0.0 allows remote attackers to remove any database entry
mem0 1.0.0 server allows unauthenticated remote attackers to trigger memory reset and table re-creation via unprotected
mem0 1.0.0 server accepts unauthenticated POST requests to the /memories endpoint, allowing remote attackers to inject a
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26721