CVE-2026-59705

mem0 · mem0

The mem0 API component suffers from an unauthenticated access vulnerability allowing remote attackers to read, write, or delete user memories and trigger a denial-of-service state.

Executive summary

An unauthenticated access vulnerability in the mem0 API allows remote attackers to perform unauthorized data operations and cause system-wide denial-of-service.

Vulnerability

This vulnerability involves missing authentication middleware on critical API routers, which permits unauthenticated attackers to manipulate user memory records or execute a global pause command to disrupt service.

Business impact

The ability for an unauthenticated attacker to read, modify, or delete arbitrary user memory presents a catastrophic risk to data privacy and integrity. With a CVSS score of 9.8, this critical vulnerability could lead to total compromise of user data and prolonged operational downtime, resulting in significant reputational damage and potential regulatory non-compliance.

Remediation

Immediate Action: Upgrade the mem0 software to the version containing the commit a3154d5 or later immediately.

Proactive Monitoring: Review application logs for unauthorized access patterns to API endpoints and monitor system performance for sudden, unauthorized global service interruptions.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict access control policies to block unauthenticated access to the /api/ path until the patch is applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a critical security failure that necessitates immediate remediation. Administrators must prioritize updating the mem0 environment to the patched version to prevent unauthorized data access and potential service disruption.