CVE-2026-49948 HIGH

CVE-2026-49948: Mem0 0.2.8 Missing Authorization via POST /configure Endpoint

Vendor Mem0Ai
Product mem0
Weakness CWE-862 · Missing authorization
Published June 9, 2026
Last update June 9, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated