CVE-2026-31244

MEDIUM

mem0 1.0.0 - Missing Authentication

Title source: llm

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.

References (2)

Core 2

Core References

https://github.com/mem0ai/mem0

https://www.notion.so/CVE-2026-31244-35d1e1393188818b8039c50adc75996c

Scores

CVSS v3 6.5

EPSS 0.0039

EPSS Percentile 30.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-306 CWE-862

Status published

Products (1)

mem0/mem0 1.0.0

Published May 12, 2026

Tracked Since May 13, 2026