Memory Deletion API Vulnerability in mem0 Server by mem0ai
CVE-2026-31241

6.5MEDIUM

Key Information:

Vendor: mem0ai
Status: mem0
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-31241?

The mem0 1.0.0 server contains a serious vulnerability in its memory deletion API (DELETE /memories), which lacks necessary authentication and authorization mechanisms. This allows attackers to send unauthorized DELETE requests targeting various user identifiers, such as user_id or run_id. By exploiting this flaw, an attacker can delete memory records arbitrarily, resulting in unauthorized data losses and potential denial of service for the affected users.

References

https://github.com/mem0ai/mem0

https://www.notion.so/CVE-2026-31241-35d1e139318881459ae5...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31241 Data

JSON