Aggregates CVE and security vulnerability intelligence across all mem0-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk denial of service and vendor risk sql injection and related problems; some flaws may lead to vendor impact application crash, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-31245 | The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories). The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated POST requests to create malicious or spoofed memory entries in the database, leading to unauthorized data injection and potential data pollution. | [email protected] | 5.3 | 0.34% | 2026-05-12 | 2026-05-14 |
| CVE-2026-31244 | The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service. | [email protected] | 6.5 | 0.39% | 2026-05-12 | 2026-05-14 |
| CVE-2026-31243 | The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service. | [email protected] | 6.5 | 0.37% | 2026-05-12 | 2026-05-14 |
| CVE-2026-31242 | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. This results in the deletion of the entire memory database table, causing catastrophic data loss and a complete denial of service for all users of the service. | [email protected] | 9.1 | 0.49% | 2026-05-12 | 2026-05-14 |
| CVE-2026-31241 | The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service. | [email protected] | 6.5 | 0.39% | 2026-05-12 | 2026-05-14 |