CVE-2026-31245

MEDIUM

mem0 1.0.0 - Unauthenticated Arbitrary Memory Record Creation via Memory Creation API Endpoint

Title source: llm

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution.

References (2)

Core 2

Core References

https://github.com/mem0ai/mem0

https://www.notion.so/CVE-2026-31245-35d1e1393188810aab57ff9b49146b05

Scores

CVSS v3 5.3

EPSS 0.0034

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306 CWE-862

Status published

Products (2)

mem0/mem0 1.0.0

pypi/mem0ai 0 - 1.0.0PyPI

Published May 12, 2026

Tracked Since May 13, 2026