CVE-2026-59705
CRITICALmem0 - OpenMemory API Unauthenticated Access via Memory Endpoints
Title source: cnaDescription
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.
References (4)
Core 4
Core References
Patch patch
Patch Commit
https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/mem0-openmemory-api-unauthenticated-access-via-memory-endpoints
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
mem0/mem0
< a3154d5
Published
Jul 07, 2026
Tracked Since
Jul 08, 2026