Lucene search
K
MongodbMost viewed

146 matches found

MongoDB
MongoDB
added 2026/06/09 10:5 p.m.12 views

Crafted cross-shard merge aggregation crashes MongoDB Server

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

7.1CVSS5.4AI score0.0027EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/03/17 7:0 p.m.12 views

Memory safety issues in slot-based execution hash table spill

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution SBE engine when an in-memory hash table is spilled to disk...

7.5CVSS5.5AI score0.00342EPSS
Exploits1References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 7:3 p.m.12 views

Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak

The mongo-go-driver repository contains CGo bindings for GSSAPI Kerberos authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not...

6.9CVSS5.6AI score0.00223EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:16 p.m.12 views

MongoDB Server may crash when inserting large documents

Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash...

7.5CVSS5.5AI score0.00243EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/09/05 8:39 p.m.12 views

MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0...

7.5CVSS6.9AI score0.00305EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:24 p.m.11 views

Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

6.8CVSS5.5AI score0.00109EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:8 p.m.11 views

$_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

7.1CVSS5.4AI score0.00323EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/07 4:12 a.m.11 views

Post-auth null pointer dereference when aggregating against a view with empty search pipeline

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads...

7.1CVSS5.8AI score0.0023EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/03/30 3:28 p.m.11 views

Users could trigger a crash of mongod primaries during promotion to sharded

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary o...

6CVSS5.2AI score0.00203EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:59 p.m.11 views

Unsafe Reflection in Mongoid::Criteria.from_hash

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.fromhash may allow for executing arbitrary Ruby code...

6.9CVSS5.6AI score0.00196EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:52 p.m.11 views

Mongod can run out of stack memory when expressions create deeply nested documents

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression...

7.5CVSS5.5AI score0.00272EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:22 p.m.11 views

Connections received from the proxy port may not count towards total accepted connections

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header...

8.2CVSS5.5AI score0.00263EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/25 5:7 a.m.11 views

Improper Certificate Validation May Allow Successful TLS Handshaking Despite Invalid Extended Key Usage Fields in MongoDB Server

Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage EKU requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully...

5.4CVSS6.5AI score0.00084EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:17 p.m.10 views

Metadata name collision on $-prefixed fields causes post-auth server crash

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain...

7.1CVSS5.7AI score0.00368EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 10:10 p.m.10 views

Using MaxKey() may crash the server

This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer that is, many results are routed to the same consumer,...

7.1CVSS5.8AI score0.0027EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 9:57 p.m.10 views

Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

8.2CVSS5.5AI score0.00347EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 9:56 p.m.10 views

Client side encryption fails to encrypt values in a $vectorSearch

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption QE or Client-Side Field Level Encryption CSFLE results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of...

7.1CVSS5.4AI score0.00103EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/13 12:5 a.m.10 views

Post-auth memory exhaustion via bitwise match expressions

An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue impacts MongoDB Server v7.0 versions prior to...

7.1CVSS5.8AI score0.00258EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/12 6:37 p.m.10 views

Ops Manager RCE via webhook body

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...

9.4CVSS6AI score0.00371EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/06 3:8 p.m.10 views

MongoDB C Driver Cyrus SASL Canonicalization Buffer Overflow

The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI...

8.6CVSS5.9AI score0.00126EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:54 p.m.10 views

An unsafe cast in the MongoDB query planner can result in a segmentation fault.

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index...

7.1CVSS5.5AI score0.0024EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/25 5:16 a.m.10 views

MongoDB Server may allow queries to be terminated by unauthorized users

A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions...

6.5CVSS6.9AI score0.00192EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/10/09 2:14 p.m.10 views

MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories

Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows allows Privilege Escalation.This issue affects MongoDB Atlas SQL ODBC driver: from 1.0.0 through 2.0.0...

8.8CVSS7.6AI score0.00122EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/10/08 9:26 p.m.10 views

MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories

MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom install directories allows Privilege Escalation.This issue affects MongoDB Connector for BI: from 2.0.0 through 2.14.24...

8.8CVSS7AI score0.00114EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/07/07 2:45 p.m.10 views

MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory...

6.5CVSS7AI score0.00276EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/06/26 11:32 a.m.10 views

Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication

The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. Thi...

7.5CVSS7AI score0.00466EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/05/13 12:16 a.m.9 views

Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands

After invoking $internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine through $where, $function, mapreduce reduce stage, etc. is used also in...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/03/17 7:42 p.m.9 views

Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer

A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver...

3.7CVSS5.1AI score0.00187EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:49 p.m.9 views

An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash...

7.5CVSS5.4AI score0.00243EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/01/27 5:29 p.m.9 views

Integer Overflow in GridFS chunkSize Leading to Heap Allocation Failure

User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container...

7.1CVSS5.5AI score0.00275EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/25 5:23 a.m.9 views

MongoDB may be susceptible to Invariant Failure due to batched delete

MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server...

7.5CVSS6.9AI score0.00252EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/10/13 4:22 p.m.9 views

Configuration may unexpectedly disable certificate validation

When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions prior to v3.2.5...

8CVSS6.8AI score0.00165EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/09/05 8:48 p.m.9 views

Malformed $group Query May Cause MongoDB Server to Crash

An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This vulnerability could lead to deni...

6.5CVSS6.8AI score0.00289EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/06/09 9:59 p.m.8 views

Aggregation sub-pipeline null dereference may allow DoS via crafted getMore

In MongoDB Server 8.0, an aggregation stage can leave its subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid addres...

7.1CVSS5.5AI score0.00307EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/04/29 4:47 p.m.8 views

MD5 checksum creation may cause availability loss

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior...

7.5CVSS5.2AI score0.00255EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/03/17 3:53 p.m.8 views

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline...

8.8CVSS5.8AI score0.00323EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 5:52 p.m.8 views

Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server...

8.7CVSS5.4AI score0.00782EPSS
Exploits0References3Affected Software1
MongoDB
MongoDB
added 2025/12/09 3:0 p.m.8 views

Cross-Shard Failovers May Lead to Partial Transaction Commit in MongoDB Server

A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction...

5.4CVSS6.8AI score0.002EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/10/23 9:1 p.m.8 views

MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories

Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Privilege Escalation.This issue affects BI Connector ODBC driver: from 1.0.0 through 1.4.6...

8.8CVSS7AI score0.00123EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/10/20 5:47 p.m.8 views

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior

An authorized user may crash the MongoDB server by causing buffer over-read. This can be done by issuing a DDL operation while queries are being issued, under some conditions. This issue affects MongoDB Server v7.0 versions prior to 7.0.25, MongoDB Server v8.0 versions prior to 8.0.15, and MongoD...

6.5CVSS7.1AI score0.00246EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/09/05 8:26 p.m.8 views

MongoDB Server router will crash when incorrect lsid is set on a sharded query

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB routers. This issue occurs when a generic argument lsid is provided in a case when it is not applicable. This affects MongoDB Server v6.0 versions prior to 6.0.x, MongoDB Server v7.0 versions prior to 7.0.18 a...

6.5CVSS6.8AI score0.00254EPSS
Exploits0References2Affected Software1
MongoDB
MongoDB
added 2026/03/17 3:50 p.m.7 views

Stack memory disclosure in filemd5 command

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

7.1CVSS5.8AI score0.00215EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:39 p.m.7 views

profile command may permit unauthorized configuration

Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only...

5.4CVSS5.5AI score0.00173EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/02/10 6:30 p.m.7 views

Invalid $geoNear index hint may cause server crash

An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints...

7.1CVSS5.4AI score0.0024EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2025/11/25 4:52 a.m.7 views

Time-series operations may cause internal BSON size limit to be exceed

Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8...

7.1CVSS6.9AI score0.00249EPSS
Exploits0References1Affected Software1
MongoDB
MongoDB
added 2026/04/13 3:31 p.m.6 views

bson_validate may skip validation when processing certain inputs

The bsonvalidate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that re...

7.5CVSS5.2AI score0.00184EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities146