CVE-2026-31242

critical

Description

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. This results in the deletion of the entire memory database table, causing catastrophic data loss and a complete denial of service for all users of the service.

References

https://www.notion.so/CVE-2026-31242-35d1e1393188819c9ebec0e684b4e656

https://github.com/mem0ai/mem0

Details

Source: Mitre, NVD

Published: 2026-05-12

Updated: 2026-05-14

Risk Information

CVSS v2

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00034