CVE-2026-25613 — Incorrect Type Conversion or Cast in INC Mongodb Server

CWE-704 — Incorrect Type Conversion or Cast5 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 83.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedFeb 10

Description

An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5mongodb_inc/mongodb_server7.0 — 7.0.29+2

▶NVDmongodb/mongodb7.0.0 — 7.0.29+2

🔴Vulnerability Details

GHSA

GHSA-4x52-g43x-cfxm: An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index↗2026-02-10

▶

OSV

CVE-2026-25613: An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index↗2026-02-10

▶

CVEList

An unsafe cast in the MongoDB query planner can result in a segmentation fault.↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25613 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶