EUVD-2026-35853
GHSA-87xp-xhjm-qgrh
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionNVD
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command
AnalysisAI
Information disclosure in MongoDB Server allows authenticated users holding the read role to obtain small amounts of uninitialized stack memory by submitting specially-crafted filemd5 commands. The flaw stems from CWE-457 (Use of Uninitialized Variable) in the filemd5 command handler, and while no public exploit has been identified at time of analysis, the low attack complexity and network reachability make it a credible insider/credential-theft risk against MongoDB databases.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to a mongod instance's wire protocol port (default 27017) and (2) valid authentication as a user holding the built-in read role or any custom role that grants the find privilege on a database containing GridFS collections, which is the prerequisite for issuing the filemd5 command. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) scores 7.1 and reflects a network-reachable, low-complexity attack requiring only low privileges, with high confidentiality impact but no integrity or availability impact - consistent with a memory disclosure primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a low-privilege MongoDB account with the read role (for example, via a leaked application connection string or a compromised analyst credential) connects to mongod over the network and repeatedly issues malformed filemd5 commands against a GridFS collection. Each response returns a few bytes of uninitialized stack memory, which the attacker accumulates over many calls to harvest fragments of in-process secrets such as authentication tokens, query data from other tenants, or pointers useful for bypassing ASLR in a follow-on exploit. … |
| Remediation | Patch available per vendor advisory - consult MongoDB SERVER-122207 (https://jira.mongodb.org/browse/SERVER-122207) for the fixed release on each supported branch (the input data does not name an exact released version, so verify the patched build against the ticket before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify MongoDB Server version(s) in production and audit all accounts with read-level permissions to confirm vulnerability applicability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today