CVE-2026-31244 — Unauthenticated single memory record delete via mem0 DELETE /memories/{memory_id}

MITRE service request: 1988584

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}). The endpoint allows unauthenticated users to delete arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending unauthenticated DELETE requests to remove any memory entry from the database, leading to unauthorized data loss and potential denial of service.

Summary

Knowing (or guessing) opaque memory_id tokens is enough to delete arbitrary rows—no bearer token, no row ownership check before Memory.delete() issues SQL DELETE.

Affected product and versions

• Product: mem0ai/mem0 server.
• Affected range (coordination record): v1.0.0 (commit 5f5e64b44be9be26c6aa223f5c4b538998b8ec8e).

Technical details

• Surface: DELETE /memories/{memory_id} → delete_memory route.
• Sink: PGVector.delete() executing SQL delete without authZ.
• Impact: Targeted erasure of high-value memories (credentials, preferences) or harassment via repeated deletes.

Risk

High — precision sabotage against individual users.

Remediation / workaround

• Require signed URLs or scoped JWT for destructive verbs.
• Vendor patch TBD.

CVE Program next steps