MongoDB | Product Alerts

Tue, 16 Jun 2020 19:00:00 GMT

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled.

Wed, 09 Dec 2015 20:00:00 GMT

A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication.

Wed, 16 Dec 2015 20:00:00 GMT

In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not.

Wed, 30 Mar 2016 19:00:00 GMT

During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss.

Tue, 03 May 2016 19:00:00 GMT

While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes.

Thu, 22 Feb 2018 20:00:00 GMT

We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions.

Mon, 23 Sep 2019 19:00:00 GMT

A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

Tue, 07 Jan 2020 20:00:00 GMT

When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates.

Thu, 09 Jan 2020 20:00:00 GMT

A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds.

Mon, 15 Jun 2015 19:00:00 GMT

Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load.

Mon, 12 Oct 2020 19:00:00 GMT

Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products

Wed, 19 May 2021 19:22:00 GMT

A storage engine bug in MongoDB 4.4.5 causes crashes on startup and may cause temporary query correctness issues. Upgrade to version 4.4.6.

Fri, 06 Aug 2021 17:41:00 GMT

A storage engine bug in MongoDB 4.4.7, 5.0.0, and 5.0.1 allows some inserts to violate unique index constraints. Upgrade to version 4.4.8 or 5.0.2.

Wed, 22 Sep 2021 16:00:00 GMT

A storage engine bug in MongoDB 4.4.8 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9

Wed, 22 Sep 2021 16:00:00 GMT

A storage engine bug in MongoDB 4.4.2 - 4.4.8, and 5.0.0 - 5.0.2 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9 or 5.0.3.

Fri, 12 Nov 2021 00:02:00 GMT

"A storage engine bug in MongoDB 4.4.3 and 4.4.4 can introduce corruption when upgrading to 4.4.8-4.4.10 or 5.0.2-5.0.5. It is safe to upgrade from versions 4.4.3 and 4.4.4 directly to 4.4.11+ or 5.0.6+"1

Wed, 10 Aug 2022 21:31:00 GMT

A sharding metadata bug in MongoDB versions 5.0.0-5.0.10 and 6.0.0 can introduce corruption during a movePrimary command.

Thu, 11 Aug 2022 20:20:00 GMT

A behavior change for improperly configured time-to-live (TTL) indexes can suddenly expire documents when upgrading to MongoDB 5.0 or 6.0 from version 4.4 or earlier.

Thu, 11 Sep 2025 11:01:00 GMT

When MongoDB is configured for FIPS mode on Linux operating systems which use OpenSSL 3 for cryptographic operations, MongoDB may use cryptographic algorithms from non-FIPS providers. This may allow clients to connect to a FIPS-mode MongoDB with TLS using non-FIPS-compliant cryptographic algorithms.

(MongoDB Security Notice)

Sat, 16 Dec 2023 20:00:00 GMT

MongoDB is actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information. We detected suspicious activity on Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately activated our incident response process, and believe that this unauthorized access has been going on for some period of time before discovery. At this time, we are not aware of any exposure to the data that customers store in MongoDB Atlas. Nevertheless, we recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords. MongoDB will update this alert page with additional information as we continue to investigate the matter.

(MongoDB Security Notice)

Tue, 26 Dec 2023 22:25:00 GMT

We are experiencing a spike in login attempts resulting in issues for customers attempting to log in to Atlas and our Support Portal. This is unrelated to the security incident. Please try again in a few minutes if you are still having trouble logging in. [The issue involving user login attempts has been resolved as of 10:22 PM EST]

(MongoDB Security Notice)

Thu, 28 Dec 2023 02:00:00 GMT

At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers system logs were accessed.We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter.

(MongoDB Security Notice)

Fri, 29 Dec 2023 05:00:00 GMT

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter. At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized partyIndicators of Compromise (IOCs)The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses:107.150.22.47138.199.6.199146.70.187.157179.43.189.85185.156.46.165198.44.136.69198.44.136.71198.44.140.133198.44.140.199199.116.118.207206.217.205.8866.63.167.15266.63.167.15487.249.134.1096.44.191.132We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network.In regards to our previous guidance, instructions can be found here https://www.mongodb.com/docs/atlas/security-multi-factor-authentication/ on how to enable phishing-resistant MFA on MongoDBs native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here: https://www.mongodb.com/docs/atlas/security/federated-authentication/We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate.

(MongoDB Security Notice)

Wed, 03 Jan 2024 22:00:00 GMT

Our investigation of the security incident first reported here on December 16, 2023, US Eastern time (EST) is now complete and closed.The investigation led by our security and engineering teams uncovered no evidence of unauthorized access to MongoDB Atlas clusters. This finding has been verified by our third-party forensic experts.We are committed to being timely and transparent with details about this Security Incident. We plan to release a post event summary as soon as practicable.

(MongoDB Security Notice)

Thu, 04 Jan 2024 01:00:00 GMT

(MongoDB Security Notice)

Wed, 24 Jan 2024 02:00:00 GMT

MongoDB has published MongoDB has published a Post Event Summary at the Reference link, below, for the first security incident reported here on December 16, 2023, US Eastern time (EST). As a reminder, our investigation is complete and closed, with our findings verified by our third-party forensic experts.

Tue, 29 Oct 2013 19:00:00 GMT

Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers.

Mon, 19 Sep 2022 12:56:00 GMT

A MongoDB agent issue in Atlas, Ops Manager, and Cloud Manager can cause automated "rolling index builds" to introduce index inconsistencies. MongoDB clusters on other platforms are not affected.

Tue, 30 Sep 2025 12:12:00 GMT

Third-party distributions of the MongoDB Shell, such as those installed by the Homebrew or npm package managers, can be affected by a Node.js REPL bug that may cause unintended side effects to occur during autocomplete.

Thu, 22 Jan 2026 15:46:00 GMT

Major public Certificate Authorities are implementing policy requirements to stop issuing TLS certificates with client authentication (clientAuth) Extended Key Usage by April 2026. This industry-wide change only affects self-managed MongoDB deployments using mutual TLS (mTLS) or X.509 authentication with public CA certificates. Self-managed customers must migrate to private PKI infrastructure or reconfigure MongoDB before the April-May 2026 deadlines. Atlas customers are not affected.

Thu, 21 Mar 2013 19:00:00 GMT

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync.

Mon, 21 Oct 2013 19:00:00 GMT

During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process

Wed, 01 Jan 2014 20:00:00 GMT

Under very rare circumstances mongos may incorrectly report a write as successful.

Sun, 03 Aug 2014 19:00:00 GMT

An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results.

Thu, 02 Oct 2014 07:00:00 GMT

MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

Thu, 20 Nov 2025 19:56:00 GMT

If a cluster undergoes a point-in-time (PIT) restore at a wall-clock time significantly after the TransactionRecordMinimumLifetimeMinutes timeout has elapsed, cross-shard transactions may be silently partially committed while still being acknowledged as successfully completed to the client. This can also occur in other rare conditions; see reference link for details.

Tue, 17 Jun 2025 10:38:00 GMT

Certain queries that involve an $elemMatch expression with string predicates may use an index with incompatible collation due to a plan cache bug. Impacted queries can return results which miss documents that should have been included. Write operations that rely on queries that incorrectly miss documents may not correctly update those documents. This includes updates, deletes, and $merge/$out aggregations with impacted query filters.

Wed, 16 Jul 2025 12:51:00 GMT

Combined alert for MongoDB Relational Migrator with multiple data integrity issues affecting data migrations from relational databases into MongoDB. These affect Snapshot migrations that contain specific mappings for cyclic dependency loops, array-in-doc-in-array nested embeddings, or use of the idempotency user setting. These also affect Continuous (CDC) migrations.

Thu, 07 Aug 2025 18:06:00 GMT

Performing deletes on time-series collection with a non-metaField filter followed by inserts on an adjacent time range, can result in data inserted after the delete to be prematurely TTL expired and/or missing from query results.

Thu, 07 Aug 2025 18:14:00 GMT

Time series data can be corrupted if double-precision metrics are inserted in a pattern of multiple successive values with identical non-zero deltas, followed by a measurement where the metric is missing, into a time series collection for a specific meta value and adjacent time range.

Tue, 16 Sep 2025 11:10:00 GMT

When restoring from a backup, mongorestore silently ignores namespaces containing a newline character, without logging any warning messages. This affects mongorestore versions 3.3.11-100.12.1. Please upgrade to version 100.12.2 or later. This issue also affects namespaces containing newlines on Atlas Flex-tier backup snapshots, and Free-tier clusters that have been in a paused state. In both these scenarios, Atlas uses mongorestore behind the scenes and the fix has already been applied.

Thu, 09 Oct 2025 10:42:00 GMT

Under certain situations, when running a join ($lookup, $graphLookup or $unionWith) in one database, followed by a $merge or $out written into another database, the join can read the wrong collection if the foreign collection of the join stage and the output collection of the $merge or $out stage have the same name. This will result in incorrect or missing results in the output collection.

Thu, 20 Nov 2025 11:02:00 GMT

When running on a standalone replica set while using queryable encryption or on a sharded cluster, write concern errors may be incorrectly suppressed when write errors occur (such as duplicate key errors or schema validation errors) or when the create command completes successfully (in a sharded cluster). This can cause applications to incorrectly assume that prior writes were durable, resulting in silent data loss. This can only occur if a primary failover and rollback subsequently occur.

Thu, 20 Nov 2025 18:02:00 GMT

2dsphere indexes on metric data in time series collections are not correctly maintained when inserting data into the time series collection. Index keys may not be generated and inserted into the index, causing geospatial queries optimized by it to return incomplete results.

Mon, 28 Apr 2025 18:40:00 GMT

A bug, under certain circumstances, may cause a simple equality (non-_id) predicate query on sharded collections to report no results when a valid result exists.

Thu, 20 Nov 2025 19:55:00 GMT

Under certain conditions, including a failover, a cross-shard transaction with apiVersion explicitly set may be partially committed while still being acknowledged as successfully completed to the client. This can lead to a torn transaction in versions v8.0v8.0.12, or (in other affected versions) cause interruptions to subsequent operations on the documents affected by the transaction.

Thu, 29 Jan 2026 15:57:00 GMT

Queries on a sharded collection which specify equalities on all fields of the sharding key and use any collation other than {locale: "simple"} may temporarily return duplicate records when chunks are being migrated between shards.

Thu, 12 Feb 2026 09:06:00 GMT

The SQL interface (Atlas and Enterprise Advanced) can return incorrect results when SQL queries contain a WHERE clause with an OR condition where one predicate evaluates to UNKNOWN and the other predicate evaluates to TRUE. This happens when the UNKNOWN predicates datasource contains a nullable field with null or missing values.

Tue, 17 Mar 2026 13:13:00 GMT

Aggregation queries containing a $sort stage immediately followed by a $group stage with $top or $bottom accumulators can return incorrect results. This occurs when the query uses a compound index that satisfies the $sort pattern, but the accumulator's sort direction does not match the pipeline's $sort direction.

Tue, 17 Mar 2026 18:05:00 GMT

Sharded collections with a compound wildcard index that includes the shard key as a prefix may be at risk of data loss during chunk migrations. Documents may be left behind on the donor shard if they are missing all fields defined in the compound wildcard index, or if the index uses descending order (e.g., {skey: 1, "a.$**": -1}) and the document's shard key matches the min boundary of the migration.

Thu, 14 May 2026 10:22:00 GMT

When connecting directly to shard nodes instead of through mongos (including during a replica set promotion to sharded cluster), cluster-wide default read/write concerns may not be honored, causing writes to use {w: 1} instead of configured concerns, potentially losing acknowledged writes if rollback occurs. Users should connect to sharded clusters exclusively through mongos. If a direct connection to a shard is required, users should upgrade to patched versions immediately or specify explicit read and write concerns (e.g., {w: "majority"}) in connection strings.

Thu, 14 May 2026 07:32:00 GMT

For users that have migrated with Relational Migrator: Sharded cluster migrations with embedded documents or embedded arrays may cause missing documents; Cyclic mappings with an excluded foreign key under an embedded array will be missing; A source table column used in multiple composite foreign key relationships can cause mismatched embeddings; Conflicting field name choices can cause omitted and mis-named fields.

Tue, 10 Sep 2024 13:09:00 GMT

The Node.js v22.7.0 runtime contains a regression related to its handling of UTF-8 encoding that can impact the data integrity of applications using the MongoDB Node.js driver. MongoDB does not use the affected Node.js version in any of its products, however, developers using MongoDBs Node.js driver could experience data integrity issues when data is written to their clusters via the Node.js v22.7.0 runtime.

Tue, 14 Mar 2023 18:51:00 GMT

A storage engine bug in MongoDB running on ARM64 or POWER architectures may store documents or index entries out of order, leading to inconsistencies and improperly sorted or incomplete query results.

Tue, 23 May 2023 14:40:00 GMT

A storage engine issue can cause inconsistent incremental Ops Manager and Cloud Manager backups. Clusters restored from affected incremental backups can crash with checksum errors. Atlas customers/backups are not affected.

Fri, 10 Nov 2023 18:11:00 GMT

A race condition in mongosync 1.5 can lead to some writes on the source not being replicated to the destination. Upgrade to version 1.6 or later.

Wed, 29 Nov 2023 18:00:00 GMT

An issue affecting inserts to Sharded Time Series collections can result in inserted documents on these collections to be immediately orphaned, leading to documents not being returned by queries and potential data loss.

Tue, 20 Feb 2024 14:40:00 GMT

An issue in mongodump can cause keys in collection options to be dumped in the wrong order. These alterations could change the result set returned by a view or change which documents are accepted by a validator.

Mon, 15 Apr 2024 18:43:00 GMT

Issues affecting multi-document transactions on sharded clusters which can cause sharded multi-document transactions to return incorrect data and possibly miss writes.

Tue, 02 Jul 2024 14:07:00 GMT

"Issues during the initial data copy in mongosync 1.1.0 1.7.1 may lead to some writes or documents on the source not being replicated to the destination. Upgrade to mongosync version 1.7.2 or later. Atlas Live Migrate relies on mongosync for migrations to MongoDB 6.0+ and the fix has been applied to Atlas Live Migrate."

Thu, 15 Aug 2024 19:35:00 GMT

To balance load and maintain a high quality of service, the Atlas Serverless system occasionally migrates data of serverless instances between different database servers. Certain multi-write, non-transactional database commands are not safely auto-retried by Atlas Serverless upon migration completion, which can lead to incorrect updates and deletes behavior.

Thu, 14 May 2026 10:11:00 GMT

In sharded clusters, a unique index with a non-simple collation (e.g. case-insensitive) whose shard key equals or is a strict prefix of the index key pattern does not enforce uniqueness across shards. Different shards can independently accept documents with byte-distinct but collation-equivalent values (e.g. "YES" and "yes"), silently breaking uniqueness guarantees. This requires two or more shards, a unique index with a non-simple collation, and the shard key equals or is a strict prefix of the index key pattern.

Thu, 03 Oct 2024 09:41:00 GMT

"A bug can cause incorrect results or crashes when running certain aggregation pipelines containing $group and $lookup while on MongoDB Server version 6.0.17."

Thu, 24 Oct 2024 10:13:00 GMT

Queries may return incomplete results when Time Series collections created prior to MongoDB 5.2 have been upgraded to MongoDB 6.0 or newer prior to those collections being cloned. Relatedly, Time Series collections on MongoDB Rapid Releases 7.1.0-7.3.3 that had their collection granularity changed via collMod while on those versions, may have also returned incomplete query results.

Wed, 11 Dec 2024 16:15:00 GMT

A reshardCollection operation on a cluster with at least two shards can potentially omit a collections catalog entry in a shards local catalog if a movePrimary operation had previously been issued on the same cluster. This impacts operations involving data migration that lookup the database cache namely movePrimary, reshardCollection, moveRange, and moveChunk.

Wed, 29 Jan 2025 15:39:00 GMT

Performing a delete with a non-metadata filter on a time-series collection that is sharded on the time field may result in data loss.

Wed, 29 Jan 2025 15:38:00 GMT

Time Series collections may experience data loss when multiple documents are inserted concurrently with ordered: false and retryable writes are enabled.

Mon, 03 Mar 2025 17:43:00 GMT

In certain situations, a resharded collection may have had retryable writes repeated on its documents multiple times.

Wed, 19 Mar 2025 12:09:00 GMT

When enabling the useBigInt64 option (disabled by default) to deserialize a value through the bson JavaScript library (which is included in the MongoDB Node.js driver), negative Int64 values can be parsed as large positive values (greater than 9,223,372,036,854,775,807).

User may trigger invariant when allowed to send commands directly to shards (CVE-2021-32037)

Wed, 24 Nov 2021 00:00:00 GMT

An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.

CVSS Score has been rated as 6.5

Specific replication command with malformed oplog entries can crash secondaries (CVE-2021-20330)

Wed, 15 Dec 2021 00:00:00 GMT

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.

CVSS Score has been rated as 6.5

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text (CVE-2021-32039)

Thu, 20 Jan 2022 00:00:00 GMT

Users with appropriate file access may be able to access unencrypted user credentials saved by MongoDB Extension for VS Code in a binary file. These credentials may be used by malicious attackers to perform unauthorized actions. This vulnerability affects all MongoDB Extension for VS Code including and prior to version 0.7.0

CVSS Score has been rated as 5.5

Denial of Service and Data Integrity vulnerability in features command (CVE-2021-32036)

Fri, 04 Feb 2022 00:00:00 GMT

An authenticated user without any specific authorizations may be able to repeatedly invoke the features command where at a high volume may lead to resource depletion or generate high lock contention. This may result in denial of service and in rare cases could result in id field collisions.

CVSS Score has been rated as 5.4

Large aggregation pipelines with a specific stage can crash mongod under default configuration (CVE-2021-32040)

Tue, 12 Apr 2022 00:00:00 GMT

It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16.

CVSS Score has been rated as 6.5

MongoDB Server (mongod) may crash in response to unexpected requests (CVE-2022-24272)

Wed, 11 May 2022 00:00:00 GMT

An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.

CVSS Score has been rated as 6.5

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive (CVE-2023-0342)

Fri, 09 Jun 2023 11:00:00 GMT

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12

CVSS Score has been rated as 3.1

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution (CVE-2022-48282)

Tue, 21 Feb 2023 19:39:00 GMT

Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable

CVSS Score has been rated as 6.6

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager (CVE-2023-4009)

Tue, 08 Aug 2023 10:30:00 GMT

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

CVSS Score has been rated as 7.2

Certificate validation issue in MongoDB Server running on Windows or macOS (CVE-2023-1409)

Wed, 23 Aug 2023 16:18:00 GMT

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14 and all MongoDB Server v4.4 versions.

CVSS Score has been rated as 5.3

Secret logging may occur in debug mode of Atlas Operator (CVE-2023-0436)

Tue, 07 Nov 2023 12:41:00 GMT

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information like GCP service account keys and API integration secrets while DEBUG mode logging is enabled. This issue affects MongoDB Atlas Kubernetes Operator versions: 1.5.0, 1.6.0, 1.6.1, 1.7.0.Please note that this is reported on an EOL version of the product, and users are advised to upgrade to the latest supported version.Required Configuration:DEBUG logging is not enabled by default, and must be configured by the end-user. To check the log-level of the Operator, review the flags passed in your deployment configuration (eg. https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 https://github.com/mongodb/mongodb-atlas-kubernetes/blob/main/config/manager/manager.yaml#L27 )

CVSS Score has been rated as 4.5

MongoDB client C Driver may infinitely loop when validating certain BSON input data (CVE-2023-0437)

Fri, 12 Jan 2024 14:13:00 GMT

When calling bson_utf8_validateon some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.

CVSS Score has been rated as 5.3

MongoDB Server may allow successful untrusted connection (CVE-2024-1351)

Thu, 07 Mar 2024 09:31:00 GMT

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.

CVSS Score has been rated as 8.8

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application (CVE-2021-32050)

Tue, 29 Aug 2023 15:24:30 GMT

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed.Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default).This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

CVSS Score has been rated as 4.2

Kubernetes Operator generates potentially insecure certificates (CVE-2020-7922)

Thu, 09 Apr 2020 00:00:00 GMT

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects: MongoDB Inc. MongoDB Enterprise Kubernetes Operator version 1.0, 1.1, 1.2 versions prior to 1.2.4, 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4.

CVSS Score has been rated as 6.4

MongoDB Server (mongod) may crash when generating ftdc (CVE-2024-3374)

Tue, 14 May 2024 13:26:42 GMT

An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.

CVSS Score has been rated as 5.3

MongoDB Server may have unexpected application behaviour due to invalid BSON (CVE-2024-3372)

Tue, 14 May 2024 13:24:05 GMT

Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25.

CVSS Score has been rated as 7.5

Out-of-bounds read in bson module of PyMongo (CVE-2024-5629)

Wed, 05 Jun 2024 14:32:56 GMT

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

CVSS Score has been rated as 4.7

ejson shell parser in MongoDB Compass maybe bypassed (CVE-2024-6376)

Mon, 01 Jul 2024 14:57:31 GMT

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2

CVSS Score has been rated as 7

Missing authorization check may lead to shard key refinement (CVE-2024-6375)

Mon, 01 Jul 2024 14:40:32 GMT

A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.

CVSS Score has been rated as 5.4

MongoDB C Driver bson_strfreev may be susceptible to integer overflow (CVE-2024-6381)

Tue, 02 Jul 2024 17:14:48 GMT

The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2

CVSS Score has been rated as 4

Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands. (CVE-2024-6382)

Tue, 02 Jul 2024 17:17:50 GMT

Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2

CVSS Score has been rated as 6.4

MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow (CVE-2024-6383)

Wed, 03 Jul 2024 21:33:47 GMT

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1

CVSS Score has been rated as 5.3

Accessing Untrusted Directory May Allow Local Privilege Escalation (CVE-2024-7553)

Wed, 07 Aug 2024 09:57:49 GMT

Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1.Required Configuration:Only environments with Windows as the underlying operating system is affected by this issue

CVSS Score has been rated as 7.3

Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server (CVE-2024-6384)

Tue, 13 Aug 2024 14:22:22 GMT

"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3

CVSS Score has been rated as 5.3

MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths (CVE-2024-8207)

Tue, 27 Aug 2024 11:28:06 GMT

In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintended actor gaining full control over the MongoDB server process. This issue affects MongoDB Server v5.0 versions prior to 5.0.14 and MongoDB Server v6.0 versions prior to 6.0.3.Required Configuration: Only environments with Linux as the underlying operating system is affected by this issue

CVSS Score has been rated as 6.4

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour (CVE-2024-8654)

Tue, 10 Sep 2024 13:35:50 GMT

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.

CVSS Score has been rated as 5

MongoDB Server secondaries may crash due to forced index constraints (CVE-2024-8305)

Mon, 21 Oct 2024 14:10:31 GMT

prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4

CVSS Score has been rated as 6.5

CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines (CVE-2024-8013)

Mon, 28 Oct 2024 12:58:05 GMT

A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.

CVSS Score has been rated as 2.2

Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server (CVE-2024-10921)

Thu, 14 Nov 2024 16:04:04 GMT

An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.

CVSS Score has been rated as 6.8

Insufficient validation of external input in Compass may enable MITM attacks (CVE-2024-3371)

Wed, 24 Apr 2024 16:32:07 GMT

MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to 1.42.0.

CVSS Score has been rated as 7.1

Administrative action may disable enforcement of per-user IP whitelisting (CVE-2020-7921)

Wed, 06 May 2020 11:00:00 GMT

Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

CVSS Score has been rated as 4.6

Process termination via PID file manipulation (CVE-2019-2389)

Fri, 30 Aug 2019 11:00:00 GMT

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB process via SysV init. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6 versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

CVSS Score has been rated as 5.3

Potential exposure of log information in Ops Manager (CVE-2019-2388)

Wed, 13 May 2020 11:00:00 GMT

In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.

CVSS Score has been rated as 5.8

JS-bson may incorrectly serialise some requests (CVE-2019-2391)

Tue, 31 Mar 2020 11:00:00 GMT

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

CVSS Score has been rated as 4.2

Authorization session conflation (CVE-2019-2386)

Tue, 06 Aug 2019 11:00:00 GMT

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

CVSS Score has been rated as 7.1

Code execution on Windows via OpenSSL engine injection (CVE-2019-2390)

Fri, 30 Aug 2019 11:00:00 GMT

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue affects: MongoDB Inc. MongoDB Server 4.0 prior to 4.0.11; 3.6 prior to 3.6.14; 3.4 prior to 3.4.22.

CVSS Score has been rated as 8.2

Specific GeoQuery can cause DoS against MongoDB Server (CVE-2020-7923)

Fri, 21 Aug 2020 00:00:00 GMT

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.

CVSS Score has been rated as 6.5

Denial of Service when processing malformed Role names (CVE-2020-7925)

Mon, 30 Nov 2020 00:00:00 GMT

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

CVSS Score has been rated as 7.5

Specific query can cause a DoS against MongoDB Server (CVE-2020-7926)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects: MongoDB Server version 4.4 prior to 4.4.1. Versions before 4.4 are not affected.

CVSS Score has been rated as 6.5

Potential privilege escalation in Ops Manager API (CVE-2020-7927)

Mon, 30 Nov 2020 00:00:00 GMT

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.

CVSS Score has been rated as 8.1

$mod can result in UB (CVE-2019-2392)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CVSS Score has been rated as 6.5

Crash while joining collections with $lookup (CVE-2019-2393)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15.

CVSS Score has been rated as 6.5

Crash while handling internal Javascript exception types (CVE-2019-20923)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.7.

CVSS Score has been rated as 6.5

Invariant in IndexBoundsBuilder (CVE-2019-20924)

Tue, 01 Dec 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.2.

CVSS Score has been rated as 6.5

Improper neutralization of null byte leads to read overrun (CVE-2020-7928)

Mon, 23 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.

CVSS Score has been rated as 6.5

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application (CVE-2021-20332)

Mon, 02 Aug 2021 00:00:00 GMT

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. Note that such monitoring is not enabled by default.

CVSS Score has been rated as 4.2

Invariant failure in applyOps (CVE-2018-20804)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.10; v3.6 versions prior to 3.6.13.

CVSS Score has been rated as 6.5

Invariant with $elemMatch (CVE-2018-20805)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10. This issue affects: MongoDB Inc. MongoDB Server 3.6 versions prior to 3.6.10; 4.0 versions prior to 4.0.5.

CVSS Score has been rated as 6.5

Denial of service via malformed network packet (CVE-2019-20925)

Tue, 24 Nov 2020 00:00:00 GMT

An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions prior to 3.6.15; v3.4 versions prior to 3.4.24.

CVSS Score has been rated as 7.5

Infinite loop in aggregation expression (CVE-2018-20803)

Mon, 23 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.

CVSS Score has been rated as 6.5

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager (CVE-2021-20335)

Thu, 11 Feb 2021 00:00:00 GMT

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager <= 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

CVSS Score has been rated as 6.7

MongoDB Node.js client side field level encryption library may not be validating KMS certificate (CVE-2021-20327)

Thu, 25 Feb 2021 00:00:00 GMT

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS servers certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service rendering client-side field level encryption (CSFLE) ineffective. This issue was discovered during internal testing and affects mongodb-client-encryption module version 1.2.0, which was available from 2021-Jan-29 and deprecated in the NPM Registry on 2021-Feb-04. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services from applications residing inside the AWS, GCP, and Azure nework fabrics due to compensating controls in these environments. This issue does not impact driver workloads that dont use Field Level Encryption.

CVSS Score has been rated as 6.4

MongoDB Java driver client-side field level encryption not verifying KMS host name (CVE-2021-20328)

Thu, 25 Feb 2021 00:00:00 GMT

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS servers certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that dont use Field Level Encryption.

CVSS Score has been rated as 6.4

Specially crafted regex query can cause DoS (CVE-2020-7929)

Fri, 26 Feb 2021 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.

CVSS Score has been rated as 6.5

Invariant failure when explaining a find with a UUID (CVE-2018-25004)

Fri, 26 Feb 2021 00:00:00 GMT

A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.

CVSS Score has been rated as 4.9

Local privilege escalation in MongoDB Compass for Windows (CVE-2021-20334)

Tue, 06 Apr 2021 00:00:00 GMT

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is installed can execute arbitrary software with the privileges of the user who is running MongoDB Compass. This issue affects: MongoDB Inc. MongoDB Compass 1.x version 1.3.0 on Windows and later versions; 1.x versions prior to 1.25.0 on Windows.

CVSS Score has been rated as 4.8

Specific command line parameter might result in accepting invalid certificate (CVE-2020-7924)

Mon, 12 Apr 2021 00:00:00 GMT

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

CVSS Score has been rated as 4.2

Specially crafted query may result in a denial of service of mongod (CVE-2021-20326)

Fri, 30 Apr 2021 00:00:00 GMT

A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.4.

CVSS Score has been rated as 6.5

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application (CVE-2021-20331)

Mon, 24 May 2021 00:00:00 GMT

Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "isMaster", "createUser", and "updateUser" are executed. Without due care, an application may inadvertently expose this authenticated-related information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C# Driver 2.12 <= 2.12.1.

CVSS Score has been rated as 4.2

Specific cstrings input may not be properly validated in the Go Driver (CVE-2021-20329)

Thu, 10 Jun 2021 00:00:00 GMT

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.

CVSS Score has been rated as 6.8

Server log entry spoofing via newline injection (CVE-2021-20333)

Fri, 23 Jul 2021 00:00:00 GMT

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;

CVSS Score has been rated as 5.3

Post-auth queries on compound index may crash mongod (CVE-2018-20802)

Mon, 30 Nov 2020 00:00:00 GMT

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.9, v4.0 versions prior to 4.0.3.

CVSS Score has been rated as 6.5

MongoDB may be susceptible to Invariant Failure due to batched delete (CVE-2025-13644)

Tue, 25 Nov 2025 05:23:12 GMT

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2

CVSS Score has been rated as 6.5

Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server (CVE-2025-14345)

Tue, 09 Dec 2025 15:00:38 GMT

A post-authenticationflaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.

CVSS Score has been rated as 4.2

Zlib compressed protocol header length confusion may allow memory read (CVE-2025-14847)

Fri, 19 Dec 2025 11:00:22 GMT

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

CVSS Score has been rated as 8.7

Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak (CVE-2026-2303)

Tue, 10 Feb 2026 19:03:06 GMT

The mongo-go-driver repositorycontains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

CVSS Score has been rated as 6.9

Unsafe Reflection in Mongoid::Criteria.from_hash (CVE-2026-2302)

Tue, 10 Feb 2026 18:59:23 GMT

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

CVSS Score has been rated as 6.9

Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server (CVE-2026-25611)

Tue, 10 Feb 2026 17:52:47 GMT

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.

CVSS Score has been rated as 8.7

Internal ResourceId collision may affect unrelated collections (CVE-2026-25612)

Tue, 10 Feb 2026 18:05:23 GMT

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.

CVSS Score has been rated as 7.1

An unsafe cast in the MongoDB query planner can result in a segmentation fault. (CVE-2026-25613)

Tue, 10 Feb 2026 18:54:50 GMT

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.

CVSS Score has been rated as 7.1

profile command may permit unauthorized configuration (CVE-2026-25609)

Tue, 10 Feb 2026 18:39:11 GMT

Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.

CVSS Score has been rated as 5.3

Invalid $geoNear index hint may cause server crash (CVE-2026-25610)

Tue, 10 Feb 2026 18:30:40 GMT

An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.

CVSS Score has been rated as 7.1

An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification (CVE-2026-1850)

Tue, 10 Feb 2026 18:49:32 GMT

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.

CVSS Score has been rated as 7.1

Mongod can run out of stack memory when expressions create deeply nested documents (CVE-2026-1849)

Tue, 10 Feb 2026 18:52:52 GMT

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.

CVSS Score has been rated as 7.1

Connections received from the proxy port may not count towards total accepted connections (CVE-2026-1848)

Tue, 10 Feb 2026 18:22:41 GMT

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.

CVSS Score has been rated as 8.2

MongoDB Server may crash when inserting large documents (CVE-2026-1847)

Tue, 10 Feb 2026 18:16:24 GMT

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.

CVSS Score has been rated as 7.1

MongoDB Shell may be susceptible to Control Character Injection via autocomplete (CVE-2025-1691)

Thu, 27 Feb 2025 12:34:02 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using tab to autocomplete text that is a prefix of the attackers prepared autocompletion. This issue affects mongosh versions prior to2.3.9.The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

CVSS Score has been rated as 7.6

Stack memory disclosure in filemd5 command (CVE-2026-4147)

Tue, 17 Mar 2026 15:50:21 GMT

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

CVSS Score has been rated as 7.1

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators (CVE-2026-4148)

Tue, 17 Mar 2026 15:53:57 GMT

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

CVSS Score has been rated as 8.7

Memory safety issues in slot-based execution hash table spill (CVE-2026-4358)

Tue, 17 Mar 2026 19:00:07 GMT

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.

CVSS Score has been rated as 6.1

Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer (CVE-2026-4359)

Tue, 17 Mar 2026 19:42:03 GMT

A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.

CVSS Score has been rated as 2

MD5 checksum creation may cause availability loss (CVE-2026-6914)

Wed, 29 Apr 2026 16:47:02 GMT

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32

CVSS Score has been rated as 7.1

Users could trigger a crash of mongod primaries during promotion to sharded (CVE-2026-5170)

Mon, 30 Mar 2026 15:28:57 GMT

A user with access to the cluster with a limited set of privilege actions can trigger a crash of amongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.

CVSS Score has been rated as 6

bson_validate may skip validation when processing certain inputs (CVE-2026-6231)

Mon, 13 Apr 2026 15:31:55 GMT

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1

CVSS Score has been rated as 5.3

Flaw in the updateUser Command May Allow Unauthorized Configuration Change (CVE-2026-6915)

Wed, 29 Apr 2026 16:51:01 GMT

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.

CVSS Score has been rated as 5.3

Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators (CVE-2026-8202)

Wed, 13 May 2026 00:19:41 GMT

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 5.3

Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands (CVE-2026-8336)

Wed, 13 May 2026 00:16:16 GMT

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce commands map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 7.7

Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields (CVE-2026-8201)

Wed, 13 May 2026 00:12:35 GMT

A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query.This issue impacts MongoDB Servers mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 6.1

Schema validation log messages may not redact user data (CVE-2026-8200)

Wed, 13 May 2026 00:08:29 GMT

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 4.8

Post-auth memory exhaustion via bitwise match expressions (CVE-2026-8199)

Wed, 13 May 2026 00:05:22 GMT

An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 7.1

FlatBSON Duplicate Field Index Drift (CVE-2026-8053)

Tue, 12 May 2026 23:59:43 GMT

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score has been rated as 8.7

Ops Manager RCE via webhook body (CVE-2026-8431)

Tue, 12 May 2026 18:37:47 GMT

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax.This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.

CVSS Score has been rated as 9.4

Integer Overflow in GridFS chunkSize Leading to Heap Allocation Failure (CVE-2025-14911)

Tue, 27 Jan 2026 17:29:21 GMT

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container.

CVSS Score has been rated as 7.1

MongoDB Shell may be susceptible to control character injection via pasting (CVE-2025-1692)

Thu, 27 Feb 2025 12:37:00 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the users clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious code. This issue affects mongosh versions prior to 2.3.9

CVSS Score has been rated as 6.3

MongoDB Shell may be susceptible to control character Injection via shell output (CVE-2025-1693)

Thu, 27 Feb 2025 12:39:37 GMT

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.This issue affects mongosh versions prior to 2.3.9

CVSS Score has been rated as 3.9

MongoDB Compass may be susceptible to local privilege escalation in Windows (CVE-2025-1755)

Thu, 27 Feb 2025 15:24:07 GMT

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules. This issue affects MongoDB Compass prior to 1.42.1

CVSS Score has been rated as 7.5

MongoDB Shell may be susceptible to local privilege escalation in Windows (CVE-2025-1756)

Thu, 27 Feb 2025 15:28:11 GMT

mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0

CVSS Score has been rated as 7.5

MongoDB C Driver bson library may be susceptible to buffer overflow (CVE-2025-0755)

Tue, 18 Mar 2025 09:01:04 GMT

The various bson_appendfunctions in the MongoDB C driver library may be susceptible to buffer overflow when performing operations that could result in a final BSON document which exceeds the maximum allowable size (INT32_MAX), resulting in a segmentation fault and possible application crash. This issue affected libbson versions prior to 1.27.5, MongoDB Server v8.0 versions prior to 8.0.1 and MongoDB Server v7.0 versions prior to 7.0.16

CVSS Score has been rated as 8.4

Malformed MongoDB wire protocol messages may cause mongos to crash (CVE-2025-3083)

Tue, 01 Apr 2025 11:12:31 GMT

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to6.0.20 and MongoDB v7.0 versions prior to 7.0.16

CVSS Score has been rated as 7.5

User may override a view's collation and gain unauthorized access to underlying data (CVE-2025-3082)

Tue, 01 Apr 2025 11:08:06 GMT

A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to 7.3.4.

CVSS Score has been rated as 3.1

MongoDB Server may crash due to improper validation of explain command (CVE-2025-3084)

Tue, 01 Apr 2025 11:14:19 GMT

When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4

CVSS Score has been rated as 6.5

MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked (CVE-2025-3085)

Tue, 01 Apr 2025 12:05:05 GMT

A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-cluster authentication. This issue affects MongoDB Server v5.0 versions prior to 5.0.31, MongoDB Server v6.0 versions prior to 6.0.20, MongoDB Server v7.0 versions prior to 7.0.16 and MongoDB Server v8.0 versions prior to 8.0.4.Required Configuration :MongoDB Server must be running on Linux Operating Systems and CRL revocation status checking must be enabled

CVSS Score has been rated as 8.1

Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server (CVE-2025-6706)

Thu, 26 Jun 2025 14:00:22 GMT

An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled.

CVSS Score has been rated as 5

Race condition in privilege cache invalidation cycle (CVE-2025-6707)

Thu, 26 Jun 2025 14:04:46 GMT

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

CVSS Score has been rated as 4.2

Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication (CVE-2025-6709)

Thu, 26 Jun 2025 14:07:04 GMT

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVSS Score has been rated as 7.5

Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB (CVE-2025-6710)

Thu, 26 Jun 2025 14:09:29 GMT

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

CVSS Score has been rated as 7.5

Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash (CVE-2025-7259)

Mon, 07 Jul 2025 15:59:01 GMT

An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.

CVSS Score has been rated as 6.5

Incomplete Redaction of Sensitive Information in MongoDB Server Logs (CVE-2025-6711)

Mon, 07 Jul 2025 14:42:16 GMT

An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.

CVSS Score has been rated as 4.4

MongoDB Server may allow queries to be terminated by unauthorized users (CVE-2025-13643)

Tue, 25 Nov 2025 05:16:24 GMT

A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14

CVSS Score has been rated as 3.1

MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage (CVE-2025-6713)

Mon, 07 Jul 2025 14:46:36 GMT

An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.20 and MongoDB Server v6.0 versions prior to 6.0.22

CVSS Score has been rated as 7.7

Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections (CVE-2025-6714)

Mon, 07 Jul 2025 14:48:48 GMT

MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9Required Configuration:This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports.

CVSS Score has been rated as 7.5

MongoDB Server router will crash when incorrect lsid is set on a sharded query (CVE-2025-10059)

Fri, 05 Sep 2025 20:26:52 GMT

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument (lsid) is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v8.0 versions prior to 8.0.6.

CVSS Score has been rated as 6.5

MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation (CVE-2025-10060)

Fri, 05 Sep 2025 20:39:14 GMT

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22 and MongoDB Server v8.0 versions prior to 8.0.12

CVSS Score has been rated as 6.5

Malformed $group Query May Cause MongoDB Server to Crash (CVE-2025-10061)

Fri, 05 Sep 2025 20:48:25 GMT

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to denial of service if triggered repeatedly. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions prior to 7.0.22, MongoDB Server v8.0 versions prior to 8.0.12 and MongoDB Server v8.1 versions prior to 8.1.2

CVSS Score has been rated as 6.5

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories (CVE-2025-10491)

Mon, 15 Sep 2025 16:04:54 GMT

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

CVSS Score has been rated as 7.8

MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories (CVE-2025-11535)

Wed, 08 Oct 2025 22:07:18 GMT

MongoDB Connector for BI installation viaMSIon Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24.

CVSS Score has been rated as

Configuration may unexpectedly disable certificate validation (CVE-2025-11695)

Mon, 13 Oct 2025 16:22:57 GMT

When tlsInsecure=False appears in a connection string, certificate validation is disabled.This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5

CVSS Score has been rated as 8

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior (CVE-2025-11979)

Mon, 20 Oct 2025 17:47:57 GMT

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoDB Server version 8.2.0.

CVSS Score has been rated as 5.3

MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories (CVE-2025-11575)

Thu, 23 Oct 2025 00:22:00 GMT

Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0.

CVSS Score has been rated as

MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories (CVE-2025-12100)

Thu, 23 Oct 2025 21:02:18 GMT

Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6.

CVSS Score has been rated as

Malformed KMIP response may result in access violation (CVE-2025-12657)

Mon, 03 Nov 2025 21:03:25 GMT

The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.

CVSS Score has been rated as

Bulk write with options may read invalid memory (CVE-2025-12119)

Tue, 18 Nov 2025 20:21:08 GMT

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

CVSS Score has been rated as

Time-series operations may cause internal BSON size limit to be exceed (CVE-2025-13507)

Tue, 25 Nov 2025 04:52:47 GMT

Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1.

CVSS Score has been rated as 7.1

Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server (CVE-2025-12893)

Tue, 25 Nov 2025 05:07:17 GMT

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems.Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2

CVSS Score has been rated as 4.2