A critical flaw in mem0's openmemory/api component lets unauthenticated attackers read, write, and delete arbitrary user memories, or trigger a global denial-of-service, over the network with no privileges required.
What Is It
CVE-2026-59705 is an unauthenticated access vulnerability (CWE-306, Missing Authentication for a Critical Function) in the openmemory/api component of mem0. The affected API routers are registered without authentication middleware, so anyone who can reach the endpoints can interact with them directly. Attackers can supply arbitrary user_id parameters or hit memory-retrieval endpoints to expose private memory content belonging to other users. The same lack of access control also allows write and delete operations against arbitrary user memories.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL): vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network-reachable, low-complexity exploitation with no authentication and full impact on confidentiality, integrity, and availability. A CVSS 4.0 score of 9.3 (CRITICAL) was also assigned. Beyond data exposure and tampering, attackers can invoke pause endpoints with global_pause=true to cause a denial-of-service across all users of an affected instance. No active exploitation is confirmed in the supplied source material.
What's Vulnerable
- Vendor/Product: mem0
- Package:
pkg:pypi/mem0ai - Affected versions: all versions prior to commit
a3154d5(default status: unaffected; versions below the fix commit are affected)
The issue resides specifically in the openmemory/api component and its API routers lacking authentication middleware.
Patch Status
The vulnerability is fixed in commit a3154d59e52386d4e1189c1f5f44819868f76514. Operators running mem0's OpenMemory API should update to a build that includes this commit (a3154d5) or later to add the missing authentication controls on the affected API routers.