QSearchQSearch

CVE-2026-49948

8.1 HIGH

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component w...

Published: 2026-06-09 · Last updated: 2026-06-09

Severity and scoring

CVSS
8.1 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
CWE-862

Description

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-26237 A missing authorization vulnerability has been reported to affect QuMagie
  • CVE-2026-46518 OpenEMR is a free and open source electronic health records and medical practice management application (7.7 HIGH)
  • CVE-2026-49956 Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data bel... (6.5 MEDIUM)
  • CVE-2026-47281 Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
  • CVE-2026-49741 Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition rec...