MEDIUM 6.5

GHSA-gq6f-qwv9-rf4j

mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

Details

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mem0ai

Introduced in: 0

No fixed version published yet for mem0ai (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-31241 [ADVISORY]
https://github.com/mem0ai/mem0 [PACKAGE]
https://www.notion.so/CVE-2026-31241-35d1e139318881459ae5e6f0d7dc6f0f [WEB]