Technical description
In Mem0 self-hosted server (versions through 0.2.8, fixed in commit ae7f406), the POST /configure endpoint that modifies global LLM provider and embedder configuration (e.g., which AI provider and model to use for all memory operations) verifies authentication via JWT or X-API-Key but does not validate that the caller has administrative scope. Any authenticated low-privilege user can therefore overwrite the global LLM or embedder configuration — potentially redirecting all future memory operations to an attacker-controlled model endpoint or embedding provider, enabling data exfiltration or manipulation of agent memory context.
Attack vector
An authenticated attacker (any API key holder) sends a POST to /configure with attacker-controlled LLM provider settings. From that point, all memory writes and reads through the Mem0 server use the attacker's endpoint, exposing stored agent memories and potentially corrupting future agent reasoning.
Affected systems
Mem0 self-hosted server ≤0.2.8. Mem0 is widely used as the long-term memory layer for LLM agents; compromising its configuration affects all agents relying on it for persistent context.
Mitigation
Upgrade Mem0 to commit ae7f406 or later (the fix adds role-based authorization to /configure). Restrict API key issuance to trusted principals; audit who holds Mem0 API keys; add network-level controls limiting /configure access to admin hosts only.