Mongodb Inc Mongodb Server vulnerabilities
82 known vulnerabilities affecting mongodb_inc/mongodb_server.
Total CVEs
82
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH29MEDIUM50
Vulnerabilities
Page 3 of 5
CVE-2025-13507P3MEDIUMCVSS 6.5≥ 7.0, < 7.0.26≥ 8.0, < 8.0.16+1 more2025-11-25
CVE-2025-13507 [MEDIUM] CWE-1284 CVE-2025-13507: Inconsistent object size validation in time series processing logic may result in later processing o
Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1.
nvd
CVE-2026-8843P3MEDIUMCVSS 6.5≥ 7.0, < 7.0.32≥ 8.0, < 8.0.21+1 more2026-05-18
CVE-2026-8843 [MEDIUM] CWE-617 CVE-2026-8843: Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subse
Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.
This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior
nvd
CVE-2018-20805P3MEDIUMCVSS 6.5≥ 3.6, < 3.6.10≥ 4.0, < 4.0.52020-11-23
CVE-2018-20805 [MEDIUM] CWE-834 CVE-2018-20805: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which perform an $elemMatch . This issue affects MongoDB Server v4.0 versions prior to 4.0.5 and MongoDB Server v3.6 versions prior to 3.6.10.
nvd
CVE-2024-8305P3MEDIUMCVSS 6.5≥ 6.0, < 6.0.17≥ 7.0, < 7.0.13+1 more2024-10-21
CVE-2024-8305 [MEDIUM] CWE-1288 CVE-2024-8305: prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prio
nvd
CVE-2024-6375P3MEDIUMCVSS 6.5≥ 5.0, < 5.0.22≥ 6.0, < 6.0.11+1 more2024-07-01
CVE-2024-6375 [MEDIUM] CWE-285 CVE-2024-6375: A command for refining a collection shard key is missing an authorization check. This may cause the
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.
nvd
CVE-2026-8063P3MEDIUMCVSS 6.5≥ 8.2.0, < 8.2.72026-05-07
CVE-2026-8063 [MEDIUM] CWE-476 CVE-2026-8063: An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeli
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.
When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array
nvd
CVE-2018-20802P4MEDIUMCVSS 6.5≥ 3.6, < 3.6.9≥ 4.0, < 4.0.32020-11-23
CVE-2018-20802 [MEDIUM] CWE-394 CVE-2018-20802: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 versions prior to 3.6.9 and MongoDB Server v4.0 versions prior to 4.0.3.
nvd
CVE-2020-7926P4MEDIUMCVSS 6.5≥ 4.4, < 4.4.12020-11-23
CVE-2020-7926 [MEDIUM] CWE-755 CVE-2020-7926: A user authorized to perform database queries may cause denial of service by issuing a specially cra
A user authorized to perform database queries may cause denial of service by issuing a specially crafted query which violates an invariant in the server selection subsystem. This issue affects MongoDB Server v4.4 versions prior to 4.4.1. Versions before 4.4 are not affected.
nvd
CVE-2020-7929P4MEDIUMCVSS 6.5≥ 3.6, < 3.6.21≥ 4.0, < 4.0.202021-03-01
CVE-2020-7929 [MEDIUM] CWE-185 CVE-2020-7929: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.
nvd
CVE-2020-7923P4MEDIUMCVSS 6.5≥ 4.4, < 4.4.0-rc7≥ 4.2, < 4.2.8+1 more2020-08-21
CVE-2020-7923 [MEDIUM] CWE-755 CVE-2020-7923: A user authorized to perform database queries may cause denial of service by issuing specially craft
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects MongoDB Server v4.4 versions prior to 4.4.0-rc7; MongoDB Server v4.2 versions prior to 4.2.8 and MongoDB Server v4.0 versions prior to 4.0.19.
nvd
CVE-2019-2392P4MEDIUMCVSS 6.5≥ 3.6, < 3.6.20≥ 4.0, < 4.0.20+2 more2020-11-23
CVE-2019-2392 [MEDIUM] CWE-190 CVE-2019-2392: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use the $mod operator to overflow negative values. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
nvd
CVE-2019-2393P4MEDIUMCVSS 6.5≥ 3.6, < 3.6.15≥ 4.0, < 4.0.13+1 more2020-11-23
CVE-2019-2393 [MEDIUM] CWE-416 CVE-2019-2393: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which use $lookup and collations. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13 and MongoDB Server v3.6 versions prior to 3.6.15.
nvd
CVE-2018-20804P4MEDIUMCVSS 6.5≥ 3.6, < 3.6.13≥ 4.0, < 4.0.102020-11-23
CVE-2018-20804 [MEDIUM] CWE-20 CVE-2018-20804: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted applyOps invocations. This issue affects MongoDB Server v4.0 versions prior to 4.0.10 and MongoDB Server v3.6 versions prior to 3.6.13.
nvd
CVE-2025-3084P4MEDIUMCVSS 6.5≥ 5.0, < 5.0.31≥ 6.0, < 6.0.20+2 more2025-04-01
CVE-2025-3084 [MEDIUM] CWE-703 CVE-2025-3084: When run on commands with certain arguments set, explain may fail to validate these arguments before
When run on commands with certain arguments set, explain may fail to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4
nvd
CVE-2025-13643P4MEDIUMCVSS 6.5≥ 8.0, < 8.0.14≥ 7.0, < 7.0.262025-11-25
CVE-2025-13643 [MEDIUM] CWE-862 CVE-2025-13643: A user with access to the cluster with a limited set of privilege actions may be able to terminate q
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior
nvd
CVE-2019-2386P4HIGHCVSS 7.1≥ 4.0, < 4.0.9≥ 3.6, < 3.6.13+1 more2019-08-06
CVE-2019-2386 [HIGH] CWE-285 CVE-2019-2386: After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Serv
nvd
CVE-2019-20924P4MEDIUMCVSS 6.5≥ 4.2, < 4.2.22020-11-23
CVE-2019-20924 [MEDIUM] CWE-394 CVE-2019-20924: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server v4.2 versions prior to 4.2.2.
nvd
CVE-2019-20923P4MEDIUMCVSS 6.5≥ 4.0, < 4.0.72020-11-23
CVE-2019-20923 [MEDIUM] CWE-749 CVE-2019-20923: A user authorized to perform database queries may trigger denial of service by issuing specially cra
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which throw unhandled Javascript exceptions containing types intended to be scoped to the Javascript engine's internals. This issue affects MongoDB Server v4.0 versions prior to 4.0.7.
nvd
CVE-2021-32037P4MEDIUMCVSS 6.5≥ 5.0, ≤ 5.0.22021-11-24
CVE-2021-32037 [MEDIUM] CWE-617 CVE-2021-32037: An authorized user may trigger an invariant which may result in denial of service or server exit if
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects M
nvd
CVE-2026-25612P4MEDIUMCVSS 6.5≥ 8.2, < 8.2.4≥ 8.0, < 8.0.18+1 more2026-02-10
CVE-2026-25612 [MEDIUM] CWE-412 CVE-2026-25612: The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in o
The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.
nvd