Skip to main content

mem0ai mem0 CVE-2026-7597

| EUVDEUVD-2026-26721 LOW
Deserialization of Untrusted Data (CWE-502)
2026-05-01 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Severity Changed
May 01, 2026 - 22:22 NVD
MEDIUM LOW
CVSS changed
May 01, 2026 - 22:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 01, 2026 - 22:16 vuln.today
Public exploit code
Source Code Evidence Fetched
May 01, 2026 - 22:15 vuln.today
Analysis Generated
May 01, 2026 - 22:15 vuln.today
EUVD ID Assigned
May 01, 2026 - 21:46 euvd
EUVD-2026-26721
Analysis Generated
May 01, 2026 - 21:46 vuln.today
Patch released
May 01, 2026 - 21:46 nvd
Patch available
CVE Published
May 01, 2026 - 21:15 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary code via manipulation of the faiss.py vector store module. The vulnerability affects the pickle.load/pickle.dump functions used to serialize docstore data, enabling code execution with moderate impact (confidentiality, integrity, availability). Public exploit code is available, and vendor has released a patched version.

Technical ContextAI

The mem0 vector store implementation uses Python's pickle module to serialize and deserialize FAISS index metadata (docstore and index_to_id mappings) in mem0/vector_stores/faiss.py. Pickle is inherently unsafe for untrusted data because it can deserialize arbitrary Python objects and execute code during unpickling. An attacker who can control the pickled file contents-either by manipulating stored vector data or intercepting file operations-can craft a malicious pickle payload that executes arbitrary Python code when loaded. This is a textbook example of CWE-502 (Deserialization of Untrusted Data). The fix introduces a SafeUnpickler class that whitelists only safe built-in Python types (dict, list, str, int, float, bool, tuple, set, frozenset, NoneType) and rejects any attempt to instantiate arbitrary classes, effectively neutering the deserialization attack vector while maintaining backward compatibility with existing pickle files.

RemediationAI

Upgrade mem0 to version 1.0.12 or later, which includes commit 62dca096f9236010ca15fea9ba369ba740b86b7a containing the SafeUnpickler implementation. The fix maintains backward compatibility by attempting to load from JSON format first (safe), then falling back to SafeUnpickler for legacy pickle files, with automatic migration to JSON format on load. For users unable to upgrade immediately: (1) restrict write access to vector store files (.pkl, .json) to trusted processes only, implementing file-system level ACLs; (2) disable or restrict APIs that allow uploading or modifying vector data if possible, as the attack surface requires either file-system write access or authenticated API calls; (3) monitor vector store directories for unauthorized modifications. Note that these controls do not prevent exploitation if an attacker has authenticated API access-they only reduce surface area. Patching is the definitive mitigation. The auto-migration to JSON on first load after patching eliminates pickle usage, providing defense in depth against future pickle-related vulnerabilities.

Share

CVE-2026-7597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy