CVE-2026-31243 — Unauthenticated mem0 reset path issues destructive CREATE TABLE / schema churn

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE TABLE SQL statement. This can cause unexpected table re-creation, schema disruption, potential data loss, and denial of service for the memory management service.

Summary

Another unauthenticated branch of the reset workflow executes CREATE TABLE IF NOT EXISTS via PGVector.create_col() after destructive operations, letting remote callers force schema churn that breaks in-flight writers and can discard residual data depending on migration logic.

Affected product and versions

• Product: mem0ai/mem0 server.
• Affected range (coordination record): v1.0.0 (commit 5f5e64b44be9be26c6aa223f5c4b538998b8ec8e).

Technical details

• Surface: Same DELETE /memories reset surface as CVE-2026-31242 but hits re-init path.
• Impact: Availability + integrity (unexpected empty tables, failed migrations).
• Relation: Chained with DROP issue—defense must address entire reset API family.

Risk

High — operational disruption even if DROP mitigated elsewhere.

Remediation / workaround

• Authenticate destructive operations; separate admin API.
• Vendor patch TBD.

CVE Program next steps