Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (mongodb) · only source for this CVE.
CVSS VectorVendor: mongodb
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
AnalysisAI
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database process by submitting a crafted 'mechanism' value to the 'authenticate' command when OIDC authentication is configured. The flaw carries a CVSS 4.0 base score of 8.2 driven by network reachability, no privileges required, and high availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the target mongod/mongos to be configured with OIDC authentication enabled (authenticationMechanisms includes MONGODB-OIDC) - explicitly called out in the description and reflected in the CVSS AT:P flag - and (2) network reachability to the database port (default 27017) from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is meaningful for OIDC-enabled deployments and limited for everyone else. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with TCP reach to a MongoDB instance that has OIDC authentication enabled opens an unauthenticated connection and sends an 'authenticate' command containing a malformed 'mechanism' value, causing mongod to terminate. Repeating the single packet against every node - including arbiters and config servers - produces sustained outage of the replica set or sharded cluster. … |
| Remediation | Patch availability is not enumerated in the provided data, so this should be treated as 'Patch available per vendor advisory' - consult https://jira.mongodb.org/browse/SERVER-124183 and the corresponding MongoDB security advisory to identify the exact fixed minor versions for your release train and upgrade mongod/mongos to those builds. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit which MongoDB instances have OIDC authentication enabled and implement firewall rules restricting network access to trusted internal networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mongodb Server
View allOut-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag
Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35860
GHSA-qwqf-36v4-65w4