mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
Moderate severity
GitHub Reviewed
Published
May 12, 2026
to the GitHub Advisory Database
•
Updated May 27, 2026
Description
Published by the National Vulnerability Database
May 12, 2026
Published to the GitHub Advisory Database
May 12, 2026
Last updated
May 27, 2026
Reviewed
May 27, 2026
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories). The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers (e.g., user_id, run_id, agent_id) in the request query parameters. A remote attacker can exploit this by sending unauthenticated DELETE requests to erase memory data for any user, leading to unauthorized data loss and denial of service.
References