Logo
Retour à la veille

CVE-2026-49948

Publié : 9 juin 2026
Modifié : 9 juin 2026
Lien officiel NVD
Score CVSS
8.1
HIGH

Description détaillée

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Références et Patchs

https://github.com/mem0ai/mem0/commit/ae7f4062652df1376990221101d1adbb0819c973https://github.com/mem0ai/mem0/issues/5127https://github.com/mem0ai/mem0/issues/5384https://github.com/mem0ai/mem0/pull/5360https://www.vulncheck.com/advisories/mem0-missing-authorization-via-post-configure-endpoint

Dernières Vulnérabilités

CVE-2026-9213

A vulnerability in the affected NETGEAR gaming routers allows attackers with the ability to intercept and tamper traffic between the router and the Internet, to execute code on the device.

VOIR DÉTAILS

CVE-2026-9212

Insufficient authentication and input validation in the listed NETGEAR models allow users connected to the local network to execute commands impacting product's confidentiality or change certain configurations.

VOIR DÉTAILS

CVE-2026-9211

An unauthenticated user on the local network can gain control of the router and make unauthorized changes to its operation.

VOIR DÉTAILS