What it is
A bare LLM has no memory between conversations. Agent-memory frameworks fix that. Mem0 is the runaway leader. It watches an agent’s conversation, extracts the facts worth remembering (“user prefers vegetarian”, “user lives in Denver”, “user’s company uses Postgres”), stores them in a vector DB, and re-injects the relevant ones into future prompts. Letta (formerly MemGPT), Zep, and Mem-Agent sit in the same shape. Together they are how an agent goes from goldfish to colleague.
What goes wrong
The memory store is a verbatim record of the operator’s most-used agents’
private context: user preferences, business facts, sometimes credentials and
PII the user mentioned in passing. Mem0’s REST API exposes /v1/memories/
with no authentication in the default Docker compose. Each memory record is
attributed to a user_id, so the data is also indexed by the operator’s
identity scheme. That makes it both more useful for the user and more useful
for an attacker who can now query “all memories about user 47”.
How we test
We list memories via the unauthenticated API, capture the first few records’
metadata (timestamps, user IDs, memory categories), and stop. We do not page
through the corpus. The memory categories alone (preferences,
work-history, medical) characterise the data class for the disclosure
without our needing to read individual entries.