Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-59706

CRITICAL NVD
CVSS Score 9.3
Severity CRITICAL
Published Jul 07, 2026
Vendor unknown

Description

mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via GET /api/v1/config/ or trigger SSRF attacks by setting ollama_base_url to internal addresses like cloud IMDS via PUT /api/v1/config/mem0/llm endpoint.

References