CVE-2026-59705 PUBLISHED

mem0 - OpenMemory API Unauthenticated Access via Memory Endpoints

Assigner: VulnCheck
Reserved: 06.07.2026 Published: 07.07.2026 Updated: 08.07.2026

mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor mem0
Product mem0
Versions Default: unaffected
  • affected from 0 to a3154d5 (excl.)

Credits

  • George Chen reporter

References

Problem Types

  • Missing Authentication for Critical Function CWE