CVE-2025-13643
LOWCVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Description
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14
Analysis
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.
Technical Context
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 Affected products include: Mongodb. Version information: prior to 7.0.26.
Affected Products
Mongodb.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today