CVE-2026-59706: mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request f
Summary
mem0 (a software tool) has a critical security flaw where API endpoints lack authentication (verification of user identity), allowing attackers to steal LLM API keys (credentials used to access AI services) stored in plaintext, and exploit SSRF attacks (server-side request forgery, where an attacker tricks a server into making requests to unintended internal systems) by controlling the ollama_base_url parameter. The vulnerability has a CVSS score of 9.2, indicating it is extremely severe.
Vulnerability Details
9.3(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
network
low
none
none
July 7, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
GHSA-382c-vx95-w3p5: Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-59706
First tracked: July 7, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%