CVE-2026-31241

🔶 medium

Summary

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.

CVSS Score

6.5

Medium

EPSS Score

0.1

Exploit Probability

Published Date

2026-05-12

First Seen: 2026-05-17

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.8% of all 325,680 vulnerabilities in our database.

#169,892

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 13, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Last Modified 2026-05-14

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE IDs (Weakness Types)

CWE-306 CWE-862

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
mem0	mem0	Affected	v1.0.0

🔗 References 2

🔗 Related CVEs 4

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-31242	⛔ critical	9.1	0.1	The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via...	2026-05-12
CVE-2026-31243	🔶 medium	6.5	0.1	The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functio...	2026-05-12
CVE-2026-31244	🔶 medium	6.5	0.1	The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memo...	2026-05-12
CVE-2026-31245	🔶 medium	5.3	0.1	The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memori...	2026-05-12

These CVEs affect the same products