Skip to main content

MongoDB CVE-2026-1847

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-02-10 cna@mongodb.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 10, 2026 - 19:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.

AnalysisAI

MongoDB replica set replication can be disrupted when oversized documents are inserted, preventing secondaries from synchronizing oplog entries with the primary and potentially causing server crashes. Authenticated users with write access can trigger this denial of service condition to destabilize replica set availability. No patch is currently available for this vulnerability.

Technical ContextAI

Classified as CWE-770 (Allocation of Resources Without Limits or Throttling). Affects Mongodb. Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2013-1892 MEDIUM POC
6.0 Oct 01

MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMo

CVE-2013-3969 MEDIUM POC
6.5 Oct 01

The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2019-2386 HIGH POC
7.1 Aug 06

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's

CVE-2012-6619 MEDIUM POC
6.4 Mar 06

The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to

CVE-2026-3431 CRITICAL
9.8 Mar 02

SimStudio below 0.5.74 has a missing authorization on MongoDB tool endpoints that allows attackers to execute arbitrary

CVE-2024-8654 CRITICAL
9.8 Sep 10

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are calle

CVE-2024-1351 CRITICAL
9.8 Mar 07

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which ma

CVE-2021-20333 MEDIUM POC
5.3 Jul 23

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log e

CVE-2017-15535 CRITICAL
9.1 Nov 01

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompr

CVE-2020-2268 HIGH
8.8 Sep 16

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain acc

CVE-2013-2132 MEDIUM POC
4.3 Aug 15

bson/_cbsonmodule.c in the mongo-python-driver (aka. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex

Share

CVE-2026-1847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy