Skip to main content

Mongodb Server

26 CVEs product

Monthly

CVE-2026-9740 HIGH PATCH This Week

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod process by sending a crafted message containing nested binary structures that trigger uncontrolled mutual recursion. The CVSS 4.0 score of 8.7 reflects high availability impact with network attack vector and no authentication required. No public exploit identified at time of analysis, but the low-complexity, no-auth profile makes this a priority patch for internet-reachable MongoDB deployments.

Denial Of Service Mongodb Server
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-9735 MEDIUM PATCH This Month

MongoDB Server leaks SASL authentication credentials into plaintext server logs when connection health metric logging is enabled, exposing database passwords to any local actor with log file read access. The flaw (CWE-532) affects all versions per the available CPE data and was self-disclosed by MongoDB, indicating a vendor-acknowledged issue without a confirmed patch version at time of analysis. A low-privileged local attacker who can read the MongoDB log directory can harvest credentials and authenticate directly to the database - no public exploit exists at time of analysis, and it is not listed in the CISA KEV catalog.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-9753 HIGH PATCH This Week

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privileges to crash the database or read out-of-bounds memory by submitting a malformed binary diff through the $_internalApplyOplogUpdate aggregation pipeline stage. The flaw stems from inadequate validation of the binary diff document structure consumed by an internal oplog replay operator that is unexpectedly reachable from user-facing aggregation queries. No public exploit identified at time of analysis, but the low privilege bar and network attack vector make this a meaningful threat in multi-tenant or shared-credential MongoDB deployments.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-9752 HIGH PATCH This Week

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial query backed by a 2dsphere index where the indexed field holds a GeoJSON GeometryCollection containing a Polygon defined with a strict-winding CRS. The flaw is a CWE-476 null pointer dereference reached because the rejection guard for unsupported strict-winding polygons does not recurse into GeometryCollection members. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-9751 MEDIUM PATCH This Month

Plaintext credential exposure in MongoDB Server allows a local authenticated attacker to retrieve the LDAP query password from log files. When an administrator uses the runtime setParameter command to configure the ldapQueryPassword parameter, MongoDB writes the new password value to mongod.log in cleartext. Any local user with read access to the log file - a broad class on many deployments - can silently capture these credentials and use them to authenticate against or query the connected LDAP directory. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Mongodb Server
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-9750 HIGH PATCH This Week

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash the mongod process or obtain incorrect query results by inserting specially crafted documents. The root cause - insufficient separation between user-controlled document fields and internal execution metadata (CWE-617: Reachable Assertion) - means the attack surface is the normal document write workflow, requiring no elevated roles. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is consistent with this profile: network-reachable, low complexity, low-privilege; no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-9749 HIGH PATCH This Week

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pipelines that use the internal $exchange stage with key-range partitioning and order-preserving delivery. When a single key range fills its consumer buffer, the high watermark is not updated correctly, leading to a reachable assertion (CWE-617) and likely process termination. No public exploit identified at time of analysis.

Information Disclosure Microsoft Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-9748 HIGH PATCH This Week

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an aggregation pipeline that places the $_internalConvertBucketIndexStats stage upstream of a $facet stage. The misuse of the internal PauseExecution signal trips a hard invariant assertion in TeeBuffer, terminating the database process. No public exploit identified at time of analysis, and the issue is tracked in MongoDB's internal tracker SERVER-123951.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-9747 HIGH PATCH This Week

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting aggregation pipelines that combine the internal fromRouter:true flag with runtimeConstants.userRoles. No public exploit identified at time of analysis, but the bug is tracked in MongoDB's public JIRA (SERVER-123918), which makes the trigger conditions discoverable. Impact is limited to availability (VA:H) with no data exposure or integrity compromise.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-9746 HIGH PATCH This Week

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with the internal $_requestReshardingResumeToken option and the exchange option, triggering a reachable invariant that crashes the mongod process. Any logged-in user with low privileges can repeatedly invoke the crash on default deployments, producing service-wide downtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the bug is vendor-confirmed via MongoDB Jira SERVER-124190.

Denial Of Service Microsoft Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-9743 HIGH PATCH This Week

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the server process by issuing a specially crafted aggregation followed by a getMore command on the same cursor, triggering a null pointer dereference in the aggregation stage's _subPipeline field. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a credible availability threat for multi-tenant or shared MongoDB deployments.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-9742 HIGH PATCH This Week

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database process by submitting a crafted 'mechanism' value to the 'authenticate' command when OIDC authentication is configured. The flaw carries a CVSS 4.0 base score of 8.2 driven by network reachability, no privileges required, and high availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Mongodb Server
NVD VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-9741 HIGH PATCH This Week

Sensitive information disclosure in MongoDB Server affects deployments using Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) when issuing $vectorSearch aggregation queries. Due to a flaw in client-side query analysis, literal values intended for encrypted fields inside $vectorSearch filter expressions are transmitted to the server as plaintext instead of ciphertext, defeating the confidentiality guarantee of client-side encryption. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-8843 HIGH PATCH This Week

Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-8202 MEDIUM PATCH This Month

Denial of service in MongoDB Server v7.0 through v8.3 allows authenticated users with aggregation permissions to exhaust CPU resources via densely populated character masks in $trim, $ltrim, and $rtrim aggregation operators. An attacker can pin CPU utilization at 100% for extended periods by crafting malicious aggregation queries with large input strings and computationally expensive mask patterns. No public exploit code or active exploitation has been reported at time of analysis.

Denial Of Service Mongodb Server
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-8336 HIGH PATCH This Week

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or mapreduce map functions) with subsequent JavaScript engine invocations ($where, $function, mapreduce reduce stages), triggering a use-after-free condition. Affects MongoDB Server 7.0 (prior to 7.0.34), 8.0 (prior to 8.0.23), 8.2 (prior to 8.2.9), and 8.3 (prior to 8.3.2). Vendor-released patches available for all affected branches. No public exploit identified at time of analysis; EPSS score of 0.05% (16th percentile) suggests low observed exploitation probability despite 7.7 CVSS score. The CWE-416 use-after-free root cause requires precise sequencing of JavaScript operations, limiting exploitability.

Denial Of Service Use After Free Memory Corruption Mongodb Server
NVD VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-8201 MEDIUM PATCH This Month

Use-after-free in MongoDB Server's Field-Level Encryption query analysis component allows authenticated remote attackers with control over FLE query structure to cause information disclosure and denial of service. The vulnerability affects mongocryptd and crypt_shared in versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. No public exploit code identified at time of analysis.

Information Disclosure Use After Free Memory Corruption Mongodb Server
NVD VulDB
CVSS 4.0
6.1
EPSS
0.0%
CVE-2026-8200 MEDIUM PATCH This Month

MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. The vulnerability requires high-privilege administrative access and has a low CVSS score of 2.7, indicating limited real-world impact despite confirmed patch availability.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-8199 HIGH PATCH This Week

Authenticated attackers can exhaust MongoDB Server memory using malicious bitwise match expressions ($bitsAllSet, $bitsAnySet, $bitsAllClear, $bitsAnyClear), leading to out-of-memory denial of service. Affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. Vendor-released patches are available across all affected major versions. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, and no public exploit code has been identified at time of analysis.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-8053 HIGH PATCH This Week

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.

RCE Buffer Overflow Memory Corruption Mongodb Server
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-8063 HIGH PATCH This Week

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-6914 HIGH PATCH This Week

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32

Information Disclosure Integer Overflow Mongodb Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-5170 MEDIUM PATCH This Month

Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial Of Service Mongodb Server
NVD
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-4358 MEDIUM PATCH This Month

Memory corruption in MongoDB Server's slot-based execution engine can be triggered by authenticated users with write privileges through malicious $lookup aggregation queries that cause hash table spillover to disk. Successful exploitation enables denial of service and potential information disclosure, though a patch is not currently available. The attack requires network access and specific query construction, limiting the practical exploit window.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
6.1
EPSS
0.1%
CVE-2026-4148 HIGH PATCH This Week

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.

Information Disclosure Use After Free Memory Corruption Mongodb Server
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4147 HIGH PATCH This Week

An authenticated user with read-only role can extract limited amounts of uninitialized stack memory through specially crafted issuances of the filemd5 command in MongoDB Server. This information disclosure vulnerability affects MongoDB Server versions 8.2 prior to 8.2.6, 8.0 prior to 8.0.20, and 7.0 prior to 7.0.31. An attacker with valid database read credentials can exploit this to leak sensitive data from process memory without requiring elevated privileges or user interaction.

Information Disclosure Mongodb Server
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod process by sending a crafted message containing nested binary structures that trigger uncontrolled mutual recursion. The CVSS 4.0 score of 8.7 reflects high availability impact with network attack vector and no authentication required. No public exploit identified at time of analysis, but the low-complexity, no-auth profile makes this a priority patch for internet-reachable MongoDB deployments.

Denial Of Service Mongodb Server
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

MongoDB Server leaks SASL authentication credentials into plaintext server logs when connection health metric logging is enabled, exposing database passwords to any local actor with log file read access. The flaw (CWE-532) affects all versions per the available CPE data and was self-disclosed by MongoDB, indicating a vendor-acknowledged issue without a confirmed patch version at time of analysis. A low-privileged local attacker who can read the MongoDB log directory can harvest credentials and authenticate directly to the database - no public exploit exists at time of analysis, and it is not listed in the CISA KEV catalog.

Information Disclosure Mongodb Server
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privileges to crash the database or read out-of-bounds memory by submitting a malformed binary diff through the $_internalApplyOplogUpdate aggregation pipeline stage. The flaw stems from inadequate validation of the binary diff document structure consumed by an internal oplog replay operator that is unexpectedly reachable from user-facing aggregation queries. No public exploit identified at time of analysis, but the low privilege bar and network attack vector make this a meaningful threat in multi-tenant or shared-credential MongoDB deployments.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial query backed by a 2dsphere index where the indexed field holds a GeoJSON GeometryCollection containing a Polygon defined with a strict-winding CRS. The flaw is a CWE-476 null pointer dereference reached because the rejection guard for unsupported strict-winding polygons does not recurse into GeometryCollection members. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Plaintext credential exposure in MongoDB Server allows a local authenticated attacker to retrieve the LDAP query password from log files. When an administrator uses the runtime setParameter command to configure the ldapQueryPassword parameter, MongoDB writes the new password value to mongod.log in cleartext. Any local user with read access to the log file - a broad class on many deployments - can silently capture these credentials and use them to authenticate against or query the connected LDAP directory. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash the mongod process or obtain incorrect query results by inserting specially crafted documents. The root cause - insufficient separation between user-controlled document fields and internal execution metadata (CWE-617: Reachable Assertion) - means the attack surface is the normal document write workflow, requiring no elevated roles. CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) is consistent with this profile: network-reachable, low complexity, low-privilege; no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pipelines that use the internal $exchange stage with key-range partitioning and order-preserving delivery. When a single key range fills its consumer buffer, the high watermark is not updated correctly, leading to a reachable assertion (CWE-617) and likely process termination. No public exploit identified at time of analysis.

Information Disclosure Microsoft Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an aggregation pipeline that places the $_internalConvertBucketIndexStats stage upstream of a $facet stage. The misuse of the internal PauseExecution signal trips a hard invariant assertion in TeeBuffer, terminating the database process. No public exploit identified at time of analysis, and the issue is tracked in MongoDB's internal tracker SERVER-123951.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting aggregation pipelines that combine the internal fromRouter:true flag with runtimeConstants.userRoles. No public exploit identified at time of analysis, but the bug is tracked in MongoDB's public JIRA (SERVER-123918), which makes the trigger conditions discoverable. Impact is limited to availability (VA:H) with no data exposure or integrity compromise.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with the internal $_requestReshardingResumeToken option and the exchange option, triggering a reachable invariant that crashes the mongod process. Any logged-in user with low privileges can repeatedly invoke the crash on default deployments, producing service-wide downtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the bug is vendor-confirmed via MongoDB Jira SERVER-124190.

Denial Of Service Microsoft Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the server process by issuing a specially crafted aggregation followed by a getMore command on the same cursor, triggering a null pointer dereference in the aggregation stage's _subPipeline field. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a credible availability threat for multi-tenant or shared MongoDB deployments.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database process by submitting a crafted 'mechanism' value to the 'authenticate' command when OIDC authentication is configured. The flaw carries a CVSS 4.0 base score of 8.2 driven by network reachability, no privileges required, and high availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Mongodb Server
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sensitive information disclosure in MongoDB Server affects deployments using Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) when issuing $vectorSearch aggregation queries. Due to a flaw in client-side query analysis, literal values intended for encrypted fields inside $vectorSearch filter expressions are transmitted to the server as plaintext instead of ciphertext, defeating the confidentiality guarantee of client-side encryption. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Mongodb Server
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in MongoDB Server v7.0 through v8.3 allows authenticated users with aggregation permissions to exhaust CPU resources via densely populated character masks in $trim, $ltrim, and $rtrim aggregation operators. An attacker can pin CPU utilization at 100% for extended periods by crafting malicious aggregation queries with large input strings and computationally expensive mask patterns. No public exploit code or active exploitation has been reported at time of analysis.

Denial Of Service Mongodb Server
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or mapreduce map functions) with subsequent JavaScript engine invocations ($where, $function, mapreduce reduce stages), triggering a use-after-free condition. Affects MongoDB Server 7.0 (prior to 7.0.34), 8.0 (prior to 8.0.23), 8.2 (prior to 8.2.9), and 8.3 (prior to 8.3.2). Vendor-released patches available for all affected branches. No public exploit identified at time of analysis; EPSS score of 0.05% (16th percentile) suggests low observed exploitation probability despite 7.7 CVSS score. The CWE-416 use-after-free root cause requires precise sequencing of JavaScript operations, limiting exploitability.

Denial Of Service Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Use-after-free in MongoDB Server's Field-Level Encryption query analysis component allows authenticated remote attackers with control over FLE query structure to cause information disclosure and denial of service. The vulnerability affects mongocryptd and crypt_shared in versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. No public exploit code identified at time of analysis.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. The vulnerability requires high-privilege administrative access and has a low CVSS score of 2.7, indicating limited real-world impact despite confirmed patch availability.

Information Disclosure Mongodb Server
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated attackers can exhaust MongoDB Server memory using malicious bitwise match expressions ($bitsAllSet, $bitsAnySet, $bitsAllClear, $bitsAnyClear), leading to out-of-memory denial of service. Affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. Vendor-released patches are available across all affected major versions. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, and no public exploit code has been identified at time of analysis.

Information Disclosure Mongodb Server
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.

RCE Buffer Overflow Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32

Information Disclosure Integer Overflow Mongodb Server
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial Of Service Mongodb Server
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Memory corruption in MongoDB Server's slot-based execution engine can be triggered by authenticated users with write privileges through malicious $lookup aggregation queries that cause hash table spillover to disk. Successful exploitation enables denial of service and potential information disclosure, though a patch is not currently available. The attack requires network access and specific query construction, limiting the practical exploit window.

Information Disclosure Mongodb Server
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.

Information Disclosure Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

An authenticated user with read-only role can extract limited amounts of uninitialized stack memory through specially crafted issuances of the filemd5 command in MongoDB Server. This information disclosure vulnerability affects MongoDB Server versions 8.2 prior to 8.2.6, 8.0 prior to 8.0.20, and 7.0 prior to 7.0.31. An attacker with valid database read credentials can exploit this to leak sensitive data from process memory without requiring elevated privileges or user interaction.

Information Disclosure Mongodb Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy