CVE-2026-31240

HIGH

mem0 1.0.0 - Unauthenticated Memory Record Manipulation via Memory Management API

Title source: llm

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit this by sending unauthenticated requests to modify, overwrite, or delete arbitrary memory records, leading to unauthorized data manipulation and potential data loss.

References (2)

Core 2

Core References

https://github.com/mem0ai/mem0

https://www.notion.so/CVE-2026-31240-35d1e13931888170964ae035c04a8f18

Scores

CVSS v3 7.5

EPSS 0.0037

EPSS Percentile 28.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

pypi/mem0ai 0 - 1.0.0PyPI

Published May 12, 2026

Tracked Since May 12, 2026