CVE-2026-5170Reachable Assertion in Mongodb Server

CWE-617Reachable Assertion5 documents5 sources
Severity
6.0MEDIUMNVD
EPSS
0.0%
top 85.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb ServerMongodb
Timeline
PublishedMar 30

Description

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5mongodb/mongodb_server8.28.2.2+2
NVDmongodb/mongodb7.0.07.0.31+2

Patches

Patch: jira.mongodb.org

🔴Vulnerability Details

3
GHSA
GHSA-qg39-5q45-4gcc: A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable2026-03-30
CVEList
Users could trigger a crash of mongod primaries during promotion to sharded2026-03-30
OSV
CVE-2026-5170: A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable2026-03-30

🕵️Threat Intelligence

1
Wiz
CVE-2026-5170 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-5170 — Reachable Assertion in Mongodb Server | cvebase