CVE-2026-59705

CRITICAL

mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints

Title source: cna
STIX 2.1

Description

mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.

Scores

CVSS v3 9.8
EPSS 0.0050
EPSS Percentile 39.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-306
Status published
Products (1)
mem0/mem0 < a3154d5
Published Jul 07, 2026
Tracked Since Jul 08, 2026