SYS::ONLINE
Wasteland.
Briefs1125
Issues18
SinceFeb 2026
LIVE
CVE · Critical CVE-2026-59705 2026-07-07

CVE-2026-59705: Unauthenticated Access in mem0 OpenMemory API

"A critical flaw in mem0's `openmemory/api` component lets unauthenticated attackers read, write, and delete arbitrary user memories, or trigger a global denial-of-service, over the network with no privileges required."

A critical flaw in mem0's openmemory/api component lets unauthenticated attackers read, write, and delete arbitrary user memories, or trigger a global denial-of-service, over the network with no privileges required.

What Is It

CVE-2026-59705 is an unauthenticated access vulnerability (CWE-306, Missing Authentication for a Critical Function) in the openmemory/api component of mem0. The affected API routers are registered without authentication middleware, so anyone who can reach the endpoints can interact with them directly. Attackers can supply arbitrary user_id parameters or hit memory-retrieval endpoints to expose private memory content belonging to other users. The same lack of access control also allows write and delete operations against arbitrary user memories.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL): vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network-reachable, low-complexity exploitation with no authentication and full impact on confidentiality, integrity, and availability. A CVSS 4.0 score of 9.3 (CRITICAL) was also assigned. Beyond data exposure and tampering, attackers can invoke pause endpoints with global_pause=true to cause a denial-of-service across all users of an affected instance. No active exploitation is confirmed in the supplied source material.

What's Vulnerable

The issue resides specifically in the openmemory/api component and its API routers lacking authentication middleware.

Patch Status

The vulnerability is fixed in commit a3154d59e52386d4e1189c1f5f44819868f76514. Operators running mem0's OpenMemory API should update to a build that includes this commit (a3154d5) or later to add the missing authentication controls on the affected API routers.

Sources