Medium severity6.5NVD Advisory· Published May 12, 2026· Updated May 14, 2026
CVE-2026-31241
CVE-2026-31241
Description
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mem0aiPyPI | <= 1.0.0 | — |
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-gq6f-qwv9-rf4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31241ghsaADVISORY
- www.notion.so/CVE-2026-31241-35d1e139318881459ae5e6f0d7dc6f0fnvdMitigationThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.