HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49948Published Modified CNA VulnCheck

CVE-2026-49948: Mem0 0.2.8 Missing Authorization via POST /configure Endpoint

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
ae7f4062652df1376990221101d1adbb0819c973
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authorization vulnerability in Mem0 (the self-hosted server component) through version 0.2.8 allows any authenticated user to modify global LLM provider and embedder configuration via the POST /configure endpoint. The service is reachable over the network, and a low-privilege API key is sufficient to trigger the attack with no victim interaction required. A successful attacker redirects all LLM and embedder traffic for the entire Mem0 instance to an attacker-controlled server, with the malicious configuration persisted across restarts. A patched-image rebuild at commit ae7f4062652df1376990221101d1adbb0819c973 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-49948 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the mem0ai package. Any image found running mem0 at or below version 0.2.8 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 8.6 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to fix commit ae7f4062652df1376990221101d1adbb0819c973 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Mem0 self-hosted server's HTTP API over the network to issue the POST /configure request.

  • AuthenticationRequired

    A valid low-privilege account or distributed API key is sufficient; no admin or elevated role is needed because the endpoint does not validate caller role.

  • Victim interactionNot required

    No user interaction is required; the attacker calls the endpoint directly with no social-engineering step.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or environmental prerequisites apply.

Blast Radius

  • Reads all LLM prompt payloads and embedder inputs (which may include personal data, credentials, or proprietary text) by redirecting traffic to an attacker-controlled server.
  • Modifies all LLM and embedder responses returned to every user on the instance, enabling injection of arbitrary model output.
  • Persists the malicious configuration to PostgreSQL, so the redirect survives server restarts and continues to affect all API keys until the configuration is manually corrected.
  • Affects the entire Mem0 instance and all tenants sharing it, not just the session of the authenticated attacker.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image bundling mem0ai at or below 0.2.8, and a patched rebuild at fix commit ae7f406 is ready for affected environments. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For teams that cannot apply the patch immediately, recommended compensating controls include restricting network access to the POST /configure endpoint via ingress network policy (blocking all callers except a trusted admin source IP range), auditing current PostgreSQL-persisted LLM and embedder configuration for unexpected provider URLs, and rotating all distributed API keys in case any have been used by an unauthorized party. HarborGuard re-checks the advisory each ingest cycle and will surface any supplemental guidance published upstream.

See how HarborGuard automates this

Fix available

ae7f4062652df1376990221101d1adbb0819c973
Patch commits
Affected packages
  • mem0ai / mem0
    ≤ 0.2.8
    Fixed in ae7f4062652df1376990221101d1adbb0819c973
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References