MongoDB vulnerabilities
108 known vulnerabilities affecting mongodb/mongodb.
Total CVEs
108
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH34MEDIUM70
Vulnerabilities
Page 1 of 6
CVE-2025-14847P1HIGHCVSS 7.5KEVPoC≥ 3.6.0, < 4.4.30≥ 5.0.0, < 5.0.32+4 more2025-12-19
CVE-2025-14847 [HIGH] CWE-130 CVE-2025-14847: Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Ser
nvd
CVE-2013-1892P3MEDIUMCVSS 6.0PoC≤ 2.0.8v1.2.0+15 more2013-10-01
CVE-2013-1892 [MEDIUM] CWE-20 CVE-2013-1892: MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper
MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMonkey, which allows remote authenticated users to cause a denial of service (invalid memory access and server crash) or execute arbitrary code via a crafted memory address in the first argument.
nvd
CVE-2026-8053P2HIGHCVSS 8.8≥ 5.0.0, < 5.0.33≥ 6.0.0, < 6.0.28+4 more2026-05-13
CVE-2026-8053 [HIGH] CWE-787 CVE-2026-8053: An issue in MongoDB Server's time-series collection implementation allows an authenticated user with
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result
nvd
CVE-2013-3969P3MEDIUMCVSS 6.5PoCv2.4.0v2.4.1+3 more2013-10-01
CVE-2013-3969 [MEDIUM] CWE-399 CVE-2013-3969: The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticat
The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and server crash) or possibly execute arbitrary code via an invalid RefDB object.
nvd
CVE-2025-3085P3CRITICALCVSS 9.8≥ 5.0.0, < 5.0.31≥ 6.0.0, < 6.0.20+2 more2025-04-01
CVE-2025-3085 [CRITICAL] CWE-299 CVE-2025-3085: A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status check
A MongoDB server under specific conditions running on Linux with TLS and CRL revocation status checking enabled, fails to check the revocation status of the intermediate certificates in the peer's certificate chain. In cases of MONGODB-X509, which is not enabled by default, this may lead to improper authentication. This issue may also affect intra-c
nvd
CVE-2026-8201P3HIGHCVSS 8.8≥ 7.0.0, < 7.0.34≥ 8.0.0, < 8.0.23+2 more2026-05-13
CVE-2026-8201 [HIGH] CWE-416 CVE-2026-8201: A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis compo
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query.
This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34,
nvd
CVE-2024-1351P3CRITICALCVSS 9.8≥ 4.4.0, < 4.4.29≥ 5.0.0, < 5.0.25+2 more2024-03-07
CVE-2024-1351 [CRITICAL] CWE-295 CVE-2024-1351: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB S
nvd
CVE-2025-6706P3HIGHCVSS 8.8≥ 6.0.0, < 6.0.21≥ 7.0.0, < 7.0.17+1 more2025-06-26
CVE-2025-6706 [HIGH] CWE-416 CVE-2025-6706: An authenticated user may trigger a use after free that may result in MongoDB Server crash and other
An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server.
The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expression
nvd
CVE-2015-7882P3HIGHCVSS 8.1≥ 3.0.0, ≤ 3.0.62019-07-19
CVE-2015-7882 [HIGH] CWE-287 CVE-2015-7882: Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthe
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access.
nvdosv
CVE-2024-8654P3CRITICALCVSS 9.8≥ 6.0.0, ≤ 6.0.32024-09-10
CVE-2024-8654 [CRITICAL] CWE-908 CVE-2024-8654: MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
nvd
CVE-2026-11933P3HIGHCVSS 8.8≥ 4.4.0, < 4.4.31≥ 5.0.0, < 5.0.34+12 more2026-06-12
CVE-2026-11933 [HIGH] CWE-787 CVE-2026-11933: A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when convert
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in di
nvd
CVE-2026-4148P3HIGHCVSS 8.8≥ 7.0.0, < 7.0.31≥ 8.0.0, < 8.0.20+2 more2026-03-17
CVE-2026-4148 [HIGH] CWE-416 CVE-2026-4148: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with th
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
nvd
CVE-2024-10921P3HIGHCVSS 8.1≥ 5.0.0, < 5.0.30≥ 6.0.0, < 6.0.19+2 more2024-11-14
CVE-2024-10921 [HIGH] CWE-158 CVE-2024-10921: An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and
nvd
CVE-2026-4358P3HIGHCVSS 7.5≥ 7.0.0, < 7.0.31≥ 8.0.0, < 8.0.20+1 more2026-03-17
CVE-2026-4358 [HIGH] CWE-415 CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges ca
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
nvd
CVE-2017-15535P3CRITICALCVSS 9.1≥ 3.4.0, < 3.4.102017-11-01
CVE-2017-15535 [CRITICAL] CVE-2017-15535: MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting,
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.
nvdosv
CVE-2026-9740P3HIGHCVSS 7.5≥ 7.0.0, < 7.0.35≥ 8.0.0, < 8.0.24+2 more2026-06-09
CVE-2026-9740 [HIGH] CWE-674 CVE-2026-9740: A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash th
A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
nvd
CVE-2019-20925P3HIGHCVSS 7.5≥ 3.4.0, < 3.4.24≥ 3.6.0, < 3.6.15+2 more2020-11-24
CVE-2019-20925 [HIGH] CWE-839 CVE-2019-20925: An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol m
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v
nvdosv
CVE-2025-3083P3HIGHCVSS 7.5≥ 5.0.0, < 5.0.31≥ 6.0.0, < 6.0.20+1 more2025-04-01
CVE-2025-3083 [HIGH] CWE-248 CVE-2025-3083: Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validat
Specifically crafted MongoDB wire protocol messages can cause mongos to crash during command validation. This can occur without using an authenticated connection. This issue affects MongoDB v5.0 versions prior to 5.0.31, MongoDB v6.0 versions prior to 6.0.20 and MongoDB v7.0 versions prior to 7.0.16
nvd
CVE-2025-10060P3HIGHCVSS 7.5≥ 6.0.0, < 6.0.25≥ 7.0.0, < 7.0.22+1 more2025-09-05
CVE-2025-10060 [HIGH] CWE-672 CVE-2025-10060: MongoDB Server may allow upsert operations retried within a transaction to violate unique index cons
MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0 versions prior to 6.0.25, MongoDB Server v7.0 versions pri
nvd
CVE-2026-6914P3HIGHCVSS 7.5≥ 7.0.0, < 7.0.32≥ 8.0.0, < 8.0.21+1 more2026-04-29
CVE-2026-6914 [HIGH] CWE-191 CVE-2026-6914: Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of av
Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.
This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32
nvd
1 / 6Next →