CVE 8.6 HIGH

Mem0 0.2.8 Missing Authorization via POST /configure Endpoint_CVE-2026-49948

June 9, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

AI Analysis

Missing authorization vulnerability in the self-hosted server component via POST /configure endpoint

Basic Information

ID CVE-2026-49948

Source VulnCheck

Published Jun 9, 2026 at 14:58

Modified Jun 9, 2026 at 15:34

Affected Product

Vendor mem0ai

Product mem0

Affected Versions mem0ai mem0 0

CWE Classification

CWE-862

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor mem0ai

Product mem0

Version 0.2.8

References

{
    "lastseen": "",
    "description": "Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.",
    "published": "2026-06-09T14:58:18.348Z",
    "modified": "2026-06-09T15:34:54.594Z",
    "type": "cve",
    "title": "Mem0 0.2.8 Missing Authorization via POST /configure Endpoint",
    "source": "VulnCheck",
    "references": "https://github.com/mem0ai/mem0/issues/5127\nhttps://github.com/mem0ai/mem0/issues/5384\nhttps://github.com/mem0ai/mem0/pull/5360\nhttps://github.com/mem0ai/mem0/commit/ae7f4062652df1376990221101d1adbb0819c973\nhttps://www.vulncheck.com/advisories/mem0-missing-authorization-via-post-configure-endpoint",
    "id": "CVE-2026-49948",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "mem0ai mem0 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mem0",
    "version": "0",
    "vendor": "mem0ai",
    "ai_description": "Missing authorization vulnerability in the self-hosted server component via POST /configure endpoint",
    "ai_severity": "High",
    "ai_vendor": "mem0ai",
    "ai_product": "mem0",
    "ai_version": "0.2.8",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply