CVE-2026-4147 — Use of Uninitialized Variable in INC Mongodb Server

CWE-457 — Use of Uninitialized Variable5 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 89.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedMar 17

Description

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDmongodb/mongodb7.0.0 — 7.0.31+3

▶CVEListV5mongodb_inc/mongodb_server8.2 — 8.2.6+2

Patches

Patch: jira.mongodb.org ↗

🔴Vulnerability Details

GHSA

GHSA-65gf-rq85-48c5: An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command↗2026-03-17

▶

CVEList

Stack memory disclosure in filemd5 command↗2026-03-17

▶

OSV

CVE-2026-4147: An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4147 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶