{"uuid": "f76aa55c-fcf9-49f7-8a53-ced46a4bb66d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-59706", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116890266111536679", "content": "I keep hearing how AI and LLMs are the future but they sure keep feeling like shitty applications from 20 years ago.\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-59706\n\nmem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. Unauthenticated attackers can retrieve stored secrets like OpenAI API keys via GET /api/v1/config/ or trigger SSRF attacks by setting ollama_base_url to internal addresses like cloud IMDS via PUT /api/v1/config/mem0/llm endpoint.", "creation_timestamp": "2026-07-09T13:31:54.921466Z"}