Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (mongodb) · only source for this CVE.
CVSS VectorVendor: mongodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
AnalysisAI
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting aggregation pipelines that combine the internal fromRouter:true flag with runtimeConstants.userRoles. No public exploit identified at time of analysis, but the bug is tracked in MongoDB's public JIRA (SERVER-123918), which makes the trigger conditions discoverable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold valid MongoDB credentials with at least minimal privileges to run aggregation commands (CVSS PR:L) and must be able to reach the mongod listener over the network (AV:N), with no user interaction required (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 scores this 7.1 with AV:N/AC:L/PR:L/UI:N and VA:H - a low-privilege authenticated remote attacker with network reach to the database can reliably crash the server, but there is no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privileged MongoDB credential - for example via a leaked application connection string or an insider account - connects to the mongod instance and issues an aggregation command that injects fromRouter:true alongside runtimeConstants.userRoles. The server hits the reachable assertion and the mongod process crashes, taking the node (and, if repeated against each replica, the replica set) offline until restart. … |
| Remediation | Upstream fix is tracked in MongoDB JIRA SERVER-123918 at https://jira.mongodb.org/browse/SERVER-123918; released patched version not independently confirmed from the supplied references, so consult the linked ticket and the MongoDB security advisories page for the exact build numbers per release train and upgrade affected mongod and mongos instances accordingly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all MongoDB Server instances accessible to untrusted authenticated users and document which databases are business-critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mongodb Server
View allOut-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35863
GHSA-43fh-5xpm-3q9m