By vendor
Mongodb vulnerabilities
Known CVEs affecting Mongodb products, prioritized by severity, with SEC.co remediation and detection guidance.
13 published vulnerabilities
- CVE-2026-9753HIGH 8.1
CVE-2026-9753 is a memory safety vulnerability in MongoDB's aggregation pipeline that allows any authenticated user to crash the server or read sensitive data from server memory. An attacker with valid database credentials can exploit the $_internalApplyOplogUpdate stage by submitting a specially crafted document diff with malformed binary data, triggering an out-of-bounds memory access. This does not require special privileges beyond basic database authentication.
- CVE-2026-9740HIGH 7.5
MongoDB Server contains a flaw in how it validates BSON (Binary JSON) data structures that allows anyone on the network to crash the database server without needing to log in. An attacker can send a specially crafted message that exploits recursion logic in the validation code, causing the mongod process to fail. This is a denial-of-service issue—data is not stolen or modified, but legitimate database access becomes unavailable.
- CVE-2026-9742HIGH 7.5
CVE-2026-9742 is a pre-authentication denial-of-service vulnerability in MongoDB when OIDC (OpenID Connect) authentication is enabled. Unauthenticated attackers can crash the server by sending specially crafted values in the "mechanism" parameter of the authenticate command, disrupting service availability without requiring valid credentials.
- CVE-2026-9741MEDIUM 6.5
MongoDB's encryption features—specifically Queryable Encryption and Client-Side Field Level Encryption (CSFLE)—contain a flaw in how they handle the $vectorSearch aggregation stage. When users filter encrypted data using $vectorSearch, literal values meant to stay encrypted are instead sent to the MongoDB server in plaintext. This defeats a core purpose of client-side encryption: keeping sensitive data encrypted at rest and in transit. An authenticated attacker with database access could potentially read these exposed field values, even though the bulk of the encrypted document remains protected.
- CVE-2026-9743MEDIUM 6.5
MongoDB Server 8.0 has a vulnerability where certain aggregation queries can leave internal data structures in an inconsistent state. If an authenticated user follows up with a cursor operation (getMore), the server attempts to access a null pointer, causing the process to crash. Only users with authentication credentials can trigger this, but no special privileges are required—any authenticated database user can initiate the attack.
- CVE-2026-9746MEDIUM 6.5
MongoDB servers can be forced to crash when a logged-in user executes a specific combination of change stream operations with resharding resume tokens and the exchange option. An attacker with valid database credentials can trigger this denial-of-service condition without elevated privileges, causing service disruption. The crash occurs due to an unhandled invariant violation in the server code.
- CVE-2026-9748MEDIUM 6.5
MongoDB's internal index statistics conversion stage inadvertently uses a signal mechanism that was designed for a completely different purpose. When this stage appears before the $facet aggregation operator in a pipeline, MongoDB's document processing layer receives an unexpected control signal and crashes. This is a denial-of-service flaw that requires authenticated database access to trigger.
- CVE-2026-9749MEDIUM 6.5
MongoDB servers running aggregation pipelines with specific internal configurations can encounter a denial-of-service condition when processing large result sets. The issue occurs in the $exchange stage when key-range partitioning routes many documents to the same consumer, causing a buffer management flaw that prevents proper tracking of data flow. This can lead to server instability or unavailability without authentication requirements beyond normal database access.
- CVE-2026-9750MEDIUM 6.5
CVE-2026-9750 is a medium-severity vulnerability in MongoDB that allows authenticated users to crash the database server or cause it to return incorrect query results. The flaw occurs because MongoDB doesn't properly separate user-supplied document fields from its internal metadata during query processing, allowing a malicious or compromised account to exploit this weakness without requiring network access beyond normal database authentication.
- CVE-2026-9752MEDIUM 6.5
An authenticated user can crash a MongoDB server by executing a specially crafted query against a 2dsphere geospatial index. The vulnerability exists because MongoDB's validation logic fails to properly inspect nested geometric objects within a GeoJSON GeometryCollection, allowing a forbidden strict-winding Polygon to bypass safety checks and trigger a null-pointer dereference that terminates the server process.
- CVE-2026-9754MEDIUM 6.5
CVE-2026-9754 is a medium-severity information disclosure vulnerability in MongoDB that allows an authenticated user holding the read role to extract small amounts of uninitialized stack memory by sending specially crafted filemd5 commands. An attacker with valid database credentials and read permissions can trigger this flaw to leak sensitive data that may reside in memory, such as encryption keys, session tokens, or other confidential information. The vulnerability does not enable privilege escalation, data modification, or denial of service—only unauthorized information disclosure.
- CVE-2026-9735MEDIUM 5.5
MongoDB servers can accidentally write authentication credentials to log files when connection health metric logging is enabled. During SASL authentication, the full authentication parameters—including usernames and passwords—may be recorded without being masked or redacted. An attacker with local access to the server could read these log files and obtain valid credentials, bypassing the need for network-based attacks.
- CVE-2026-9751MEDIUM 5.5
MongoDB has a logging issue where LDAP passwords are exposed in plain text. When an administrator uses the runtime setParameter command to configure LDAP authentication (specifically the ldapQueryPassword parameter), the new password is written directly to the mongod.log file instead of being masked or encrypted. Any user with local access to the server or log files can read this sensitive credential, defeating password protection. This is a configuration-time mistake rather than a network-exploitable flaw, but it creates a direct path to credential compromise.