CVE-2026-49948— Mem0 0.2.8 Missing Authorization via POST /configure Endpoint
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49948
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mem0 0.2.8 Missing Authorization via POST /configure Endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
mem0 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
mem0是Mem0开源的一个高效记忆算法基准测试工具。 Mem0 0.2.8及之前版本存在安全漏洞,该漏洞源于缺少授权验证,可能导致任何持有API密钥的认证用户重定向所有LLM和嵌入器流量到攻击者控制的服务器。以下版本受到影响:0.2.8及之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-49948
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7285 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-49948
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49948 (3)
Vendor Advisories for CVE-2026-49948 (1)
Proof of Concept for CVE-2026-49948 (1)
IV. Related Vulnerabilities
Same weakness: CWE-862
- CVE-2026-12119
Simple File List <= 6.3.7 - Missing Authorization to Authent - CVE-2026-11912
Simple File List <= 6.3.7 - Missing Authorization to Unauthe - CVE-2026-56213
Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via u - CVE-2026-48582
Microsoft Exchange Online Elevation of Privilege Vulnerabili - CVE-2026-12238
WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Cre
V. Comments for CVE-2026-49948
No comments yet