CVE-2025-6707 — Incorrect Authorization in INC Mongodb Server

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

5.4MEDIUMNVD

CNA4.2

EPSS

0.1%

top 80.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedJun 26

Description

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server5.0 — 5.0.31+3

▶NVDmongodb/mongodb5.0.0 — 5.0.31+3

🔴Vulnerability Details

GHSA

GHSA-2r62-3h6c-3fgx: Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrat↗2025-06-26

▶

CVEList

Race condition in privilege cache invalidation cycle↗2025-06-26

▶

OSV

CVE-2025-6707: Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrat↗2025-06-26

▶