CVE-2026-4358
published 2026-03-17CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the…
PriorityP347high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
0.34%
26.0th percentile
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 7.0.0 < 7.0.31 | 7.0.31 |
| mongodb | mongodb | >= 8.0.0 < 8.0.20 | 8.0.20 |
| mongodb | mongodb | >= 8.2.0 < 8.2.6 | 8.2.6 |
| mongodb_inc | mongodb_server | >= 7.0 < 7.0.31 | 7.0.31 |
| mongodb_inc | mongodb_server | >= 8.0 < 8.0.20 | 8.0.20 |
| mongodb_inc | mongodb_server | >= 8.2 < 8.2.6 | 8.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.1MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss
osv·2026-03-17·CVSS 6.1
CVE-2026-4358 [MEDIUM] CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
GHSA
GHSA-64ph-qr47-qxh4: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss
ghsa_unreviewed·2026-03-17
CVE-2026-4358 [MEDIUM] CWE-415 GHSA-64ph-qr47-qxh4: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-1849 [HIGH] CVE-2026-1849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1849 :
MongoDB vulnerability analysis and mitigation
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongod-7.0
mongod-8.0
Sources
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Nix Severity HIGH Has Fix Added at: Mar 03, 2026
Ubuntu 18
Wiz
CVE-2026-4358 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-4358 [HIGH] CVE-2026-4358 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4358 :
MongoDB vulnerability analysis and mitigation
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
Source : NVD
## 6.1
Score
Published March 17, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongod-7.0
mongod-8.0
Sources
MinimOS Severity HIGH Has Fix Added at: Apr 05, 2026
Nix Severity HIGH Has Fix Added at: Apr 05, 2026
Linu
Wiz
CVE-2026-4147 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-4147 [HIGH] CVE-2026-4147 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4147 :
MongoDB vulnerability analysis and mitigation
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Source : NVD
## 7.1
Score
Published March 17, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:mongodb:mongodb
Sources
NVD
Linux Severity MEDIUM Has Fix Added at: Mar 19, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
Wiz
CVE-2025-14345 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2025-14345 [LOW] CVE-2025-14345 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14345 :
MongoDB vulnerability analysis and mitigation
A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact.
This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2.
Source : NVD
## 2.3
Score
Published December 9, 2025
Severity LOW
CNA Score 2.3
Affected Technologie
Wiz
CVE-2026-1848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-1848 [HIGH] CVE-2026-1848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1848 :
MongoDB vulnerability analysis and mitigation
Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.
Source : NVD
## 8.2
Score
Published February 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:mongodb:mongodb
mongodb
Sources
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Nix
Wiz
CVE-2026-4148 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-4148 [HIGH] CVE-2026-4148 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4148 :
MongoDB vulnerability analysis and mitigation
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
Source : NVD
## 8.7
Score
Published March 17, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
MongoDB
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:mongodb:mongodb
Sources
NVD
Linux Severity HIGH Has Fix Added at: Mar 19, 2026
Windows Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2026-25609 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25609 [MEDIUM] CVE-2026-25609 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25609 :
MongoDB vulnerability analysis and mitigation
Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
Source : NVD
## 5.3
Score
Published February 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mongodb
cpe:2.3:a:mongodb:mongodb
Sources
MinimOS Severity MEDIUM Has Fix Added at: Mar 02, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 03, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 11, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 11,
Wiz
CVE-2026-1850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-1850 [HIGH] CVE-2026-1850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1850 :
MongoDB vulnerability analysis and mitigation
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongodb
cpe:2.3:a:mongodb:mongodb
Sources
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Nix Severity HIGH Has Fix Added at: Mar 03, 2026
Linux Severity HIGH Has Fix Added at: Feb 11, 2026
Windows Severity HIGH Has Fix Added at: Feb 11, 2026
Linux Severity HIG
Wiz
CVE-2026-25610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25610 [HIGH] CVE-2026-25610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25610 :
MongoDB vulnerability analysis and mitigation
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongodb
cpe:2.3:a:mongodb:mongodb
Sources
MinimOS Severity MEDIUM Has Fix Added at: Mar 02, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 03, 2026
Ubuntu 18.04, 20.04 Severity MEDIUM No Fix Added at: Feb 20, 2026
Linux Severity MEDIUM Has Fix Added at: Feb 11, 2026
Wiz
CVE-2026-1847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-1847 [HIGH] CVE-2026-1847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1847 :
MongoDB vulnerability analysis and mitigation
Inserting certain large documents into a replica set could lead to replica set secondaries not being able to fetch the oplog from the primary. This could stall replication inside the replica set leading to server crash.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongod-7.0
mongod-8.0
Sources
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Nix Severity HIGH Has Fix Added at: Mar 03, 2026
Ubuntu 16.04, 18.04, 20.04
Wiz
CVE-2026-25613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25613 [HIGH] CVE-2026-25613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25613 :
MongoDB vulnerability analysis and mitigation
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mongod-7.0
mongod-8.0
Sources
MinimOS Severity MEDIUM Has Fix Added at: Mar 02, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 03, 2026
Ubuntu 18.04, 20.04 Severity MEDIUM No Fix Added at: Feb 20, 2026
Linux Severity MEDIUM Has Fix Added
Wiz
CVE-2026-25612 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25612 [HIGH] CVE-2026-25612 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25612 :
MongoDB vulnerability analysis and mitigation
The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.
Source : NVD
## 7.1
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
MongoDB
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:mongodb:mongodb
mongodb
Sources
NVD
Ubuntu 16.04, 18.04, 20.04 Severity MEDIUM No Fix Added at: Feb 20,
Wiz
CVE-2026-5170 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-5170 [HIGH] CVE-2026-5170 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5170 :
MongoDB vulnerability analysis and mitigation
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.
This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
Source : NVD
## 6
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
MongoDB
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2025-14847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-14847 [HIGH] CVE-2025-14847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14847 :
MongoDB vulnerability analysis and mitigation
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Source : NVD
## 8.7
Score
Published December 19, 2025
Severity HIGH
CNA Score 8.7
High-profile Vulner
Wiz
CVE-2026-25611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25611 [HIGH] CVE-2026-25611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25611 :
MongoDB vulnerability analysis and mitigation
A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
Source : NVD
## 8.7
Score
Published February 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
MongoDB
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:mongodb:mongodb
mongodb
Sources
NVD
Ubuntu 16.04, 18.04, 20.04 Severity HIGH No Fix Added at: Feb 20, 2026
Linux Severity HIGH Has Fix Added at: Feb 11, 2026
Windows Severity HIGH Has Fix Added at: Feb 11, 2026
## Get a CVE risk assessment
Get a prioritiz
2026-03-17
Published