Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated remote endpoint (PR:N/AC:L) leaks API keys (C:H) and SSRF reaches internal systems, changing scope (S:C); config write gives limited integrity impact (I:L).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via GET /api/v1/config/ or trigger SSRF attacks by setting ollama_base_url to internal addresses like cloud IMDS via PUT /api/v1/config/mem0/llm endpoint.
AnalysisAI
Sensitive information disclosure and server-side request forgery in mem0's self-hosted server let unauthenticated remote attackers steal stored LLM provider credentials and pivot into internal infrastructure. Because the /api/v1/config/ endpoints require no authentication (CWE-306), an attacker can GET plaintext secrets such as OpenAI API keys and PUT a malicious ollama_base_url to coerce the server into requesting internal-only addresses like cloud instance metadata (IMDS). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the mem0 server's config API - no authentication, no user interaction, and default configuration per PR:N/UI:N/AC:L in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high priority, not an inflated CVSS number. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-exposed mem0 server sends GET /api/v1/config/ and receives the stored OpenAI (or other provider) API key in plaintext, then reuses it to run up charges or access the victim's LLM account. In a cloud deployment, the attacker instead sends PUT /api/v1/config/mem0/llm setting ollama_base_url to http://169.254.169.254/latest/meta-data/, causing the server to fetch instance metadata and potentially leak cloud credentials. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed from the available data - apply the vendor fix in commit a3154d59e52386d4e1189c1f5f44819868f76514 (https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514) by upgrading to a build that includes it, and consult the VulnCheck advisory and issue #6081 for guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Search mem0 access logs for requests to /api/v1/config/ endpoints to identify unauthorized access; isolate affected servers if evidence of compromise is found. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed
Unauthenticated data theft, tampering, and denial-of-service affects mem0's OpenMemory API server (openmemory/api compon
Unauthenticated deletion of arbitrary memory records in mem0 1.0.0 allows remote attackers to remove any database entry
mem0 1.0.0 server allows unauthenticated remote attackers to trigger memory reset and table re-creation via unprotected
Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary co
mem0 1.0.0 server accepts unauthenticated POST requests to the /memories endpoint, allowing remote attackers to inject a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42106
GHSA-225m-p565-9h68