CVE-2026-59705
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mem0 | mem0 | 0 < a3154d5 | affected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
References
- https://github.com/mem0ai/mem0/issues/6080
- https://github.com/mem0ai/mem0
- https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514
- https://www.vulncheck.com/advisories/mem0-openmemory-api-unauthenticated-access-via-memory-endpoints
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.