CVE-2026-6914
published 2026-04-29CVE-2026-6914: Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.26%
16.7th percentile
Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.
This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb | >= 7.0.0 < 7.0.32 | 7.0.32 |
| mongodb | mongodb | >= 8.0.0 < 8.0.21 | 8.0.21 |
| mongodb | mongodb | >= 8.1.0 < 8.2.7 | 8.2.7 |
| mongodb | mongodb_server | >= 7.0.0 < 7.0.32 | 7.0.32 |
| mongodb | mongodb_server | >= 8.0.0 < 8.0.21 | 8.0.21 |
| mongodb | mongodb_server | 8.1.0 – 8.1.* | — |
| mongodb | mongodb_server | >= 8.2.0 < 8.2.7 | 8.2.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MongoDB Server up to 7.0.31/8.0.20/8.1.0/8.2.6 BSON Object integer underflow
vuldb·2026-04-29·CVSS 7.1
CVE-2026-6914 [HIGH] MongoDB Server up to 7.0.31/8.0.20/8.1.0/8.2.6 BSON Object integer underflow
A vulnerability was found in MongoDB Server up to 7.0.31/8.0.20/8.1.0/8.2.6 and classified as problematic. Affected by this issue is some unknown functionality of the component BSON Object Handler. Executing a manipulation can lead to integer underflow.
This vulnerability is handled as CVE-2026-6914. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
GHSA-w2h7-qr22-rw7j: Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server
ghsa_unreviewed·2026-04-29
CVE-2026-6914 [HIGH] CWE-191 GHSA-w2h7-qr22-rw7j: Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server
Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.
This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-29
Published