Back to overview

CVE-2026-59705

CRITICAL
9.8
CVSS 3.1
Description
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.

Metadata

CVE ID
CVE-2026-59705
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-06 15:31 UTC
Published
2026-07-07 22:11 UTC
Last updated
2026-07-07 22:11 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
mem0 / mem0
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
mem0 mem0 0 < a3154d5
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview