CVE-2026-49948 – Mem0 0.2.8 Missing Authorization via POST /configure Endpoint

CVE ID :CVE-2026-49948

Published : June 9, 2026, 4:16 p.m. | 19 minutes ago

Description :Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller’s role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8045 – Schneider Electric Data Center Expert XXE Information Disclosure

CVE-2026-8025 – SQLi in MOSK Informatics’ CBS Platform

CVE-2026-49938 – Fortinet FortiPortal Improper Access Control

CVE-2026-25089 – Fortinet FortiSandbox OS Command Injection