{"data":{"id":"48d0bff1-7d86-4e79-a9ab-1b39b029d1d5","title":"CVE-2026-59706: mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request f","summary":"mem0 (a software tool) has a critical security flaw where API endpoints lack authentication (verification of user identity), allowing attackers to steal LLM API keys (credentials used to access AI services) stored in plaintext, and exploit SSRF attacks (server-side request forgery, where an attacker tricks a server into making requests to unintended internal systems) by controlling the ollama_base_url parameter. The vulnerability has a CVSS score of 9.2, indicating it is extremely severe.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-59706","publishedAt":"2026-07-07T22:16:54.503Z","cveId":"CVE-2026-59706","cweIds":["CWE-306"],"cvssScore":"9.3","cvssSeverity":"critical","severity":"critical","attackType":["pii_leakage","supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["mem0","OpenAI","Ollama"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-07T22:16:54.503Z","capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}