CVE-2026-31241: mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

May 12, 2026 (updated May 27, 2026)

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.

References

github.com/advisories/GHSA-gq6f-qwv9-rf4j
github.com/mem0ai/mem0
nvd.nist.gov/vuln/detail/CVE-2026-31241
www.notion.so/CVE-2026-31241-35d1e139318881459ae5e6f0d7dc6f0f

Code Behaviors & Features

Detect and mitigate CVE-2026-31241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →