CVE-2026-31242 — Unauthenticated mem0 reset triggers DROP TABLE on memory store

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. This results in the deletion of the entire memory database table, causing catastrophic data loss and a complete denial of service for all users of the service.

Summary

Certain DELETE /memories flows call VectorStoreBase.reset(), which issues DROP TABLE IF EXISTS {collection_name} without authentication. A single anonymous HTTP call can destroy the entire memory table backing all tenants.

Affected product and versions

• Product: mem0ai/mem0 server.
• Affected range (coordination record): v1.0.0 (commit 5f5e64b44be9be26c6aa223f5c4b538998b8ec8e).

Technical details

• Surface: DELETE /memories reset branch hitting PGVector.delete_col().
• Sink: Raw DROP TABLE against shared collection name.
• Impact: Total data loss + prolonged outage until schema rebuilt.
• Forensics: May appear as accidental admin action—highlight need for auth logs.

Risk

Critical — single-request database destruction.

Remediation / workaround

• Block unauthenticated DELETE; add manual confirmation for destructive resets.
• Vendor patch TBD.