VYPR
Medium severity6.5NVD Advisory· Published May 12, 2026· Updated May 14, 2026

CVE-2026-31241

CVE-2026-31241

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mem0aiPyPI
<= 1.0.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.