EVENTYou’re invited to MongoDB.local NYC on May 2. Use code Web50 for 50% off your ticket! Learn more >

MongoDB Alerts

This page lists critical alerts and advisories for MongoDB. See the MongoDB JIRA for a comprehensive list of bugs and feature requests.

General

MongoDB Security Notice

1/23/24 - 6:00 PM EST

MongoDB has published a Post Event Summary for the security incident first reported here on December 16, 2023, US Eastern time (EST). As a reminder, our investigation is complete and closed, with our findings verified by our third-party forensic experts.

1/03/24 - 5:00 PM EST

Our investigation of the security incident first reported here on December 16, 2023, US Eastern time (EST) is now complete and closed.

The investigation led by our security and engineering teams uncovered no evidence of unauthorized access to MongoDB Atlas clusters. This finding has been verified by our third-party forensic experts.

We are committed to being timely and transparent with details about this Security Incident. We plan to release a post event summary as soon as practicable.

All updates >

Data Integrity Related

02/20/2024

An issue in mongodump can cause keys in collection options to be dumped in the wrong order. These alterations could change the result set returned by a view or change which documents are accepted by a validator.

Affects:

Atlas, Mongodump

versions:

A fix has been released on Atlas, but free or shared clusters may have been impacted in the past.
Mongodump 4.2.0 - 100.9.0

11/29/2023

An issue affecting inserts to Sharded Time Series collections can result in inserted documents on these collections to be immediately orphaned, leading to documents not being returned by queries and potential data loss.

Affects:

MongoDB Server

versions:

5.0.6 - 5.0.21
6.0.0 - 6.0.11
7.0.0 - 7.0.2

11/10/2023

A race condition in mongosync 1.5 can lead to some writes on the source not being replicated to the destination. Upgrade to version 1.6 or later.

Affects:

Cluster-to-Cluster Sync (mongosync)

versions:

1.5.0

05/23/2023

A storage engine issue can cause inconsistent incremental Ops Manager and Cloud Manager backups. Clusters restored from affected incremental backups can crash with checksum errors. Atlas customers/backups are not affected.

Affects:

Ops Manager and Cloud Manager

versions:

4.4.8 - 4.4.21
5.0.2 - 5.0.17
6.0.0 - 6.0.5

03/14/2023

A storage engine bug in MongoDB running on ARM64 or POWER architectures may store documents or index entries out of order, leading to inconsistencies and improperly sorted or incomplete query results.

Affects:

MongoDB Server

versions:

4.2.0 - 4.2.23
4.4.0 - 4.4.18
5.0.0 - 5.0.14
6.0.0 - 6.0.4
6.1.0 - 6.2.0

09/19/2022

A MongoDB agent issue in Atlas, Ops Manager, and Cloud Manager can cause automated "rolling index builds" to introduce index inconsistencies. MongoDB clusters on other platforms are not affected.

Affects:

Atlas, Ops Manager, and Cloud Manager

versions:

MongoDB versions 4.2.19+, 4.4.13+, 5.0.6+, 5.1-5.3, and 6.0.0+ running on:
- Atlas - a fix has been released on Atlas, but clusters may have been impacted in the past.
- Ops Manager versions 5.0.10-5.0.14 and 6.0.0-6.0.2
- Cloud Manager running MongoDB Agent version from 11.13.0.7438-1 to 12.4.0.7702-1

08/11/2022

A behavior change for improperly configured time-to-live (TTL) indexes can suddenly expire documents when upgrading to MongoDB 5.0 or 6.0 from version 4.4 or earlier.

Affects:

MongoDB Server

versions:

5.0.X
6.0.X

08/10/2022

A sharding metadata bug in MongoDB versions 5.0.0-5.0.10 and 6.0.0 can introduce corruption during a movePrimary command.

Affects:

MongoDB Server

versions:

5.0.0 - 5.0.10
6.0.0

11/12/2021

A storage engine bug in MongoDB 4.4.3 and 4.4.4 can introduce corruption when upgrading to 4.4.8-4.4.10 or 5.0.2-5.0.5. It is safe to upgrade from versions 4.4.3 and 4.4.4 directly to 4.4.11+ or 5.0.6+

Affects:

MongoDB Server

versions:

4.4.3
4.4.4

09/22/2021

A storage engine bug in MongoDB 4.4.2-4.4.8, and 5.0.0-5.0.2 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9 or 5.0.3.

Affects:

MongoDB Server

versions:

4.4.2-4.4.8
5.0.0-5.0.2

09/22/2021

A storage engine bug in MongoDB 4.4.8 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9.

Affects:

MongoDB Server

versions:

4.4.8

08/06/2021

A storage engine bug in MongoDB 4.4.7, 5.0.0, and 5.0.1 allows some inserts to violate unique index constraints. Upgrade to version 4.4.8 or 5.0.2.

Affects:

MongoDB Server

versions:

4.4.7
5.0.0
5.0.1

05/19/2021

A storage engine bug in MongoDB 4.4.5 causes crashes on startup and may cause temporary query correctness issues. Upgrade to version 4.4.6.

Affects:

MongoDB Server

versions:

4.4.5

10/12/2020

Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products

Affects:

MongoDB Server

versions:

4.2+

06/16/2020

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled.

Affects:

MongoDB Server

versions:

4.2.7

01/09/2020

A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds.

Affects:

MongoDB Server

versions:

4.2.0
4.2.1

01/07/2020

When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates.

Affects:

MongoDB Server

versions:

3.6.14
3.6.15

09/23/2019

A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

Affects:

MongoDB Server

versions:

4.2.0

02/22/2018

We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions.

Affects:

Compass

versions:

1.3.x - 1.11.1

05/03/2016

While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes.

Affects:

Indexing

versions:

3.0
3.2

03/30/2016

During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss.

Affects:

Sharding

versions:

3.0.9
3.0.10

12/16/2015

In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not.

Affects:

Replication

versions:

3.2.0

12/09/2015

A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication.

Affects:

WiredTiger

versions:

3.0.0 - 3.0.7

06/15/2015

Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load.

Affects:

Sharding

versions:

3.0.0 - 3.0.3

10/02/2014

MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

Affects:

Storage

versions:

2.4.11
2.6.4

08/03/2014

An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results.

Affects:

Text Search

versions:

2.4.0 - 2.4.10
2.6.0

01/01/2014

Under very rare circumstances mongos may incorrectly report a write as successful.

Affects:

Sharding

versions:

2.2.0 - 2.2.6
2.4.0 - 2.4.8

10/21/2013

During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process

Affects:

Sharding

versions:

2.2.0 - 2.2.5
2.4.0 - 2.4.4

03/21/2013

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync.

Affects:

Replication

versions:

2.4.0

Operations Related

10/29/2013

Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers.

Affects:

MongoDB Server

versions:

2.4.7

Security Related

02/29/2024
CVE-2024-1351
8.8

MongoDB Server may allow successful untrusted connection

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer c...

Affects:

MongoDB Server

versions:

7.0 affects 7.0.5 and prior versions
6.0 affects 6.0.13 and prior versions
5.0 affects 5.0.24 and prior versions
4.4 affects 4.4.28 and prior versions

01/12/2024
CVE-2023-0437
5.3

MongoDB client C Driver may infinitely loop when validating certain BSON input data

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot b...

Affects:

MongoDB C Driver

versions:

1.0.0 affects versions prior to 1.25.0

11/07/2023
CVE-2023-0436
4.5

Secret logging may occur in debug mode of Atlas Operator

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information...

Affects:

MongoDB Atlas Kubernetes Operator

versions:

1.5.0 affects 1.7.0 and prior versions

08/29/2023
CVE-2021-32050
4.2

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data...

Affects:

MongoDB C Driver

versions:

1.0.0 affects versions prior to 1.17.7

08/23/2023
CVE-2023-1409
5.3

Certificate validation issue in MongoDB Server running on Windows or macOS

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific...

Affects:

MongoDB Server

versions:

6.3 affects 6.3.2 and prior versions
5.0 affects 5.0.14 and prior versions
4.4 affects 4.4.23 and prior versions

08/08/2023
CVE-2023-4009
7.2

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an...

Affects:

MongoDB Ops Manager

versions:

6.0 affects versions prior to 6.0.17
5.0 affects versions prior to 5.0.22

06/09/2023
CVE-2023-0342
3.1

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app...

Affects:

MongoDB Ops Manager

versions:

v5.0 affects versions prior to 5.0.21
v6.0 affects versions prior to 6.0.12

02/21/2023
CVE-2022-48282
6.6

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

Under very specific circumstances (see Required configuration section below), a privileged...

Affects:

MongoDB .NET/C# Driver

versions:

0 affects v2.18.0 and prior versions

05/11/2022
CVE-2022-24272
6.5

MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to in...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.6 and prior versions

04/12/2022
CVE-2021-32040
6.5

Large aggregation pipelines with a specific stage can crash mongod under default configuration

It may be possible to have an extremely long aggregation pipeline in conjunction with a sp...

Affects:

MongoDB Server

versions:

5.0 affects versions prior to 5.0.4
4.4 affects versions prior to 4.4.11
4.2 affects versions prior to 4.2.16

02/04/2022
CVE-2021-32036
5.4

Denial of Service and Data Integrity vulnerability in features command

An authenticated user without any specific authorizations may be able to repeatedly invoke...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.3 and prior versions
4.4 affects 4.4.9 and prior versions
4.2 affects 4.2.16 and prior versions
4.0 affects 4.0.28 and prior versions

01/20/2022
CVE-2021-32039
5.5

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text

Users with appropriate file access may be able to access unencrypted user credentials save...

Affects:

MongoDB for VS Code

versions:

MongoDB for VS Code affects 0.7.0 and prior versions

12/15/2021
CVE-2021-20330
6.5

Specific replication command with malformed oplog entries can crash secondaries

An attacker with basic CRUD permissions on a replicated collection can run the applyOps co...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.27
4.2 affects versions prior to 4.2.16
4.4 affects versions prior to 4.4.9

11/24/2021
CVE-2021-32037
6.5

User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or serve...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.2 and prior versions

08/02/2021
CVE-2021-20332
4.2

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application

Specific MongoDB Rust Driver versions can include credentials used by the connection pool ...

Affects:

MongoDB Rust Driver

versions:

2.0.0-alpha
2.0.0-alpha1
1.0.0 affects 1.2.1 and prior versions

07/23/2021
CVE-2021-20333
5.3

Server log entry spoofing via newline injection

Sending specially crafted commands to a MongoDB Server may result in artificial log entrie...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.10

06/10/2021
CVE-2021-20329
6.8

Specific cstrings input may not be properly validated in the Go Driver

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marsha...

Affects:

MongoDB Go Driver

versions:

1.0 affects 1.5.0 and prior versions

05/24/2021
CVE-2021-20331
4.2

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application

Specific versions of the MongoDB C# Driver may erroneously publish events containing authe...

Affects:

MongoDB C# Driver

versions:

2.12 affects 2.12.1 and prior versions

04/30/2021
CVE-2021-20326
6.5

Specially crafted query may result in a denial of service of mongod

A user authorized to performing a specific type of find query may trigger a denial of serv...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.4

04/12/2021
CVE-2020-7924
4.2

Specific command line parameter might result in accepting invalid certificate

Usage of specific command line parameter in MongoDB Tools which was originally intended to...

Affects:

MongoDB Database Tools

versions:

3.6.5 affects versions prior to 3.6*
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.11
100 affects versions prior to 100.2.0

04/06/2021
CVE-2021-20334
4.8

Local privilege escalation in MongoDB Compass for Windows

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is in...

Affects:

MongoDB Compass

versions:

1.3.0 affects versions prior to 1.x*

02/26/2021
CVE-2020-7929
6.5

Specially crafted regex query can cause DoS

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.20

02/26/2021
CVE-2018-25004
4.9

Invariant failure when explaining a find with a UUID

A user authorized to performing a specific type of query may trigger a denial of service b...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.11
4.0 affects versions prior to 4.0.6

02/25/2021
CVE-2021-20327
6.4

MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correc...

Affects:

mongodb-client-encryption module

versions:

1.2.0

02/25/2021
CVE-2021-20328
6.4

MongoDB Java driver client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption (CSFL...

Affects:

mongo-java-driver

versions:

3.11 affects 3.11.2 and prior versions
3.12 affects 3.12.7 and prior versions

02/11/2021
CVE-2021-20335
6.7

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turn...

Affects:

Ops Manager

versions:

4.2 affects 4.2.24 and prior versions

12/01/2020
CVE-2019-20924
6.5

Invariant in IndexBoundsBuilder

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.2

11/30/2020
CVE-2020-7925
7.5

Denial of Service when processing malformed Role names

Incorrect validation of user input in the role name parser may lead to use of uninitialize...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12

11/30/2020
CVE-2020-7926
6.5

Specific query can cause a DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing a spe...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1

11/30/2020
CVE-2020-7927
8.1

Potential privilege escalation in Ops Manager API

Specially crafted API calls may allow an authenticated user who holds Organization Owner p...

Affects:

MongoDB Ops Manager

versions:

4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions

11/30/2020
CVE-2019-2392
6.5

$mod can result in UB

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1

11/30/2020
CVE-2019-2393
6.5

Crash while joining collections with $lookup

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1

11/30/2020
CVE-2019-20923
6.5

Crash while handling internal Javascript exception types

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.7

11/30/2020
CVE-2018-20802
6.5

Post-auth queries on compound index may crash mongod

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3

11/30/2020
CVE-2018-20804
6.5

Invariant failure in applyOps

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10

11/30/2020
CVE-2018-20805
6.5

Invariant with $elemMatch

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5

11/24/2020
CVE-2019-20925
7.5

Denial of service via malformed network packet

An unauthenticated client can trigger denial of service by issuing specially crafted wire ...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24

11/23/2020
CVE-2020-7928
6.5

Improper neutralization of null byte leads to read overrun

A user authorized to perform database queries may trigger a read overrun and access arbitr...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20

11/23/2020
CVE-2018-20803
6.5

Infinite loop in aggregation expression

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19

08/21/2020
CVE-2020-7923
6.5

Specific GeoQuery can cause DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing speci...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19

05/13/2020
CVE-2019-2388
5.8

Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attacke...

Affects:

Ops Manager

versions:

4.0.9
4.0.10
4.1.5

05/06/2020
CVE-2020-7921
4.6

Administrative action may disable enforcement of per-user IP whitelisting

Improper serialization of internal state in the authorization subsystem in MongoDB Server'...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3

04/09/2020
CVE-2020-7922
6.4

Kubernetes Operator generates potentially insecure certificates

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...

Affects:

MongoDB Enterprise Kubernetes Operator

versions:

1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions

03/31/2020
CVE-2019-2391
4.2

JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...

Affects:

js-bson

versions:

1.0 affects 1.1.3 and prior versions

08/30/2019
CVE-2019-2389
5.3

Process termination via PID file manipulation

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22

08/30/2019
CVE-2019-2390
8.2

Code execution on Windows via OpenSSL engine injection

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22

08/06/2019
CVE-2019-2386
7.1

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions ...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.9
3.6 affects versions prior to 3.6.13
3.4 affects versions prior to 3.4.22