CVE-2026-31244

medium

Published 2026-05-12 · Modified 2026-05-14

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v2

—

VIR risk

6.5

Description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.notion.so/CVE-2026-31244-35d1e1393188818b8039c50adc75996c

Application impact

Vendor	Product	Versions	Fixed
mem0	mem0	`1.0.0`

References

https://github.com/mem0ai/mem0
https://www.notion.so/CVE-2026-31244-35d1e1393188818b8039c50adc75996c

CWEs

CWE-306 CWE-862

Verify integrity in audit chain (admin only). AS-IS.