Mongodb Inc Mongodb Server vulnerabilities
82 known vulnerabilities affecting mongodb_inc/mongodb_server.
Total CVEs
82
CISA KEV
1
actively exploited
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH29MEDIUM50
Vulnerabilities
Page 4 of 5
CVE-2021-20330P4MEDIUMCVSS 6.5≥ 4.0, < 4.0.27≥ 4.2, < 4.2.16+1 more2021-12-15
CVE-2021-20330 [MEDIUM] CWE-20 CVE-2021-20330: An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.
nvd
CVE-2022-24272P4MEDIUMCVSS 6.5≥ 5.0, ≤ 5.0.62022-04-21
CVE-2022-24272 [MEDIUM] CWE-617 CVE-2022-24272: An authenticated user may trigger an invariant assertion during command dispatch due to incorrect va
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.
nvd
CVE-2026-25613P4MEDIUMCVSS 6.5≥ 7.0, < 7.0.29≥ 8.0, < 8.0.18+1 more2026-02-10
CVE-2026-25613 [MEDIUM] CWE-704 CVE-2026-25613: An authorized user may disable the MongoDB server by issuing a query against a collection that conta
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
nvd
CVE-2026-25610P4MEDIUMCVSS 6.5≥ 8.0, < 8.0.13≥ 7.0, < 7.0.292026-02-10
CVE-2026-25610 [MEDIUM] CWE-617 CVE-2026-25610: An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid in
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
nvd
CVE-2025-14345P4MEDIUMCVSS 5.4≥ 7.0, < 7.0.26≥ 8.0, < 8.0.16+1 more2025-12-09
CVE-2025-14345 [MEDIUM] CWE-667 CVE-2025-14345: A post-authentication flaw in the network two-phase commit protocol used for cross-shard transaction
A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as comm
nvd
CVE-2021-20326P4MEDIUMCVSS 6.5≥ 4.4, < 4.4.42021-04-30
CVE-2021-20326 [MEDIUM] CWE-20 CVE-2021-20326: A user authorized to performing a specific type of find query may trigger a denial of service. This
A user authorized to performing a specific type of find query may trigger a denial of service. This issue affects MongoDB Server v4.4 versions prior to 4.4.4.
nvd
CVE-2025-7259P4MEDIUMCVSS 6.5≥ 8.1, ≤ 8.1.02025-07-07
CVE-2025-7259 [MEDIUM] CWE-843 CVE-2025-7259: An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in
An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0.
nvd
CVE-2024-6384P4MEDIUMCVSS 5.3≥ 6.0, < 6.0.16≥ 7.0, < 7.0.11+1 more2024-08-13
CVE-2024-6384 [MEDIUM] CWE-285 CVE-2024-6384: "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a un
"Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3
nvd
CVE-2025-6707P4MEDIUMCVSS 5.4≥ 5.0, < 5.0.31≥ 6.0, < 6.0.24+2 more2025-06-26
CVE-2025-6707 [MEDIUM] CWE-863 CVE-2025-6707: Under certain conditions, an authenticated user request may execute with stale privileges following
Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5.
nvd
CVE-2024-8207P4MEDIUMCVSS 6.7≥ 6.0, < 6.0.3≥ 5.0, < 5.0.142024-08-27
CVE-2024-8207 [MEDIUM] CWE-114 CVE-2024-8207: In certain highly specific configurations of the host system and MongoDB server binary installation
In certain highly specific configurations of the host system and MongoDB server binary installation on Linux Operating Systems, it may be possible for a unintended actor with host-level access to cause the MongoDB Server binary to load unintended actor-controlled shared libraries when the server binary is started, potentially resulting in the unintende
nvd
CVE-2025-3082P4MEDIUMCVSS 5.4≥ 5.0, < 5.0.31≥ 6.0, < 6.0.20+2 more2025-04-01
CVE-2025-3082 [MEDIUM] CWE-284 CVE-2025-3082: A user authorized to access a view may be able to alter the intended collation, allowing them to acc
A user authorized to access a view may be able to alter the intended collation, allowing them to access to a different or unintended view of underlying data. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.20, MongoDB Server v7.0 version prior to 7.0.14 and MongoDB Server v7.3 versions prior to
nvd
CVE-2025-12893P4MEDIUMCVSS 5.4≥ 7.0, < 7.0.26≥ 8.0, < 8.0.16+1 more2025-11-25
CVE-2025-12893 [MEDIUM] CWE-295 CVE-2025-12893: Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client c
Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. Th
nvd
CVE-2021-20333P4MEDIUMCVSS 5.3≥ 3.6, < 3.6.20≥ 4.0, < 4.0.21+1 more2021-07-23
CVE-2021-20333 [MEDIUM] CWE-117 CVE-2021-20333: Sending specially crafted commands to a MongoDB Server may result in artificial log entries being ge
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21 and MongoDB Server v4.2 versions prior to 4.2.10.
nvd
CVE-2020-7921P4MEDIUMCVSS 5.3≥ 4.2, < 4.2.3≥ 4.0, < 4.0.15+2 more2020-05-06
CVE-2020-7921 [MEDIUM] CWE-182 CVE-2020-7921: Improper serialization of internal state in the authorization subsystem in MongoDB Server's authoriz
Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB
nvd
CVE-2026-8200P4MEDIUMCVSS 5.3≥ 7.0, < 7.0.34≥ 8.0, < 8.0.23+2 more2026-05-13
CVE-2026-8200 [MEDIUM] CWE-532 CVE-2026-8200: When schema validation is enabled on a collection and an update or insert would violate the collecti
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
nvd
CVE-2025-12657P4MEDIUMCVSS 5.5≥ 6.0, < 7.0.22≥ 8.0, < 8.0.102025-11-03
CVE-2025-12657 [MEDIUM] CWE-754 CVE-2025-12657: The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets,
The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.
nvd
CVE-2024-3374P4MEDIUMCVSS 5.3≥ 5.0, ≤ 5.0.16≥ 6.0, ≤ 6.0.52024-05-14
CVE-2024-3374 [MEDIUM] CWE-617 CVE-2024-3374: An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic
An unauthenticated user can trigger a fatal assertion in the server while generating ftdc diagnostic metrics due to attempting to build a BSON object that exceeds certain memory sizes. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.16 and MongoDB Server v6.0 versions prior to and including 6.0.5.
nvd
CVE-2025-6711P4MEDIUMCVSS 4.9≥ 6.0, < 6.0.21≥ 7.0, < 7.0.18+1 more2025-07-07
CVE-2025-6711 [MEDIUM] CWE-532 CVE-2025-6711: An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in
An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21.
nvd
CVE-2026-4147P4MEDIUMCVSS 4.3≥ 8.2, < 8.2.6≥ 8.0, < 8.0.20+1 more2026-03-17
CVE-2026-4147 [MEDIUM] CWE-457 CVE-2026-4147: An authenticated user with the read role may read limited amounts of uninitialized stack memory via
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
nvd
CVE-2018-25004P4MEDIUMCVSS 4.9≥ 3.6, < 3.6.11≥ 4.0, < 4.0.62021-03-01
CVE-2018-25004 [MEDIUM] CWE-20 CVE-2018-25004: A user authorized to performing a specific type of query may trigger a denial of service by issuing
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.
nvd