Description
mem0's openmemory/api component contains an unauthenticated access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary user memories by accessing API routers registered without authentication middleware. Attackers can supply arbitrary user_id parameters or directly access memory retrieval endpoints to expose private memory content, or invoke pause endpoints with global_pause=true to cause denial-of-service across all users.
Problem types
Missing Authentication for Critical Function
Product status
Any version before a3154d5
Credits
George Chen
References
github.com/mem0ai/mem0/issues/6080
github.com/mem0ai/mem0/issues/6080 (GitHub Issue)
github.com/mem0ai/mem0 (Product)
github.com/...ommit/a3154d59e52386d4e1189c1f5f44819868f76514 (Patch Commit)
www.vulncheck.com/...thenticated-access-via-memory-endpoints