CVE-2026-59705
mem0 · mem0
The mem0 API component suffers from an unauthenticated access vulnerability allowing remote attackers to read, write, or delete user memories and trigger a denial-of-service state.
Executive summary
An unauthenticated access vulnerability in the mem0 API allows remote attackers to perform unauthorized data operations and cause system-wide denial-of-service.
Vulnerability
This vulnerability involves missing authentication middleware on critical API routers, which permits unauthenticated attackers to manipulate user memory records or execute a global pause command to disrupt service.
Business impact
The ability for an unauthenticated attacker to read, modify, or delete arbitrary user memory presents a catastrophic risk to data privacy and integrity. With a CVSS score of 9.8, this critical vulnerability could lead to total compromise of user data and prolonged operational downtime, resulting in significant reputational damage and potential regulatory non-compliance.
Remediation
Immediate Action: Upgrade the mem0 software to the version containing the commit a3154d5 or later immediately.
Proactive Monitoring: Review application logs for unauthorized access patterns to API endpoints and monitor system performance for sudden, unauthorized global service interruptions.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict access control policies to block unauthenticated access to the /api/ path until the patch is applied.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a critical security failure that necessitates immediate remediation. Administrators must prioritize updating the mem0 environment to the patched version to prevent unauthorized data access and potential service disruption.