Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

MongoDB server — Vulnerabilities & Security Advisories 97

All 97 CVE vulnerabilities found in MongoDB server, with AI-generated Chinese analysis, references, and POCs.

This page documents security vulnerabilities, weaknesses, and associated tags for MongoDB Server, a popular open-source document-oriented database. It aggregates data on known security flaws ranging from buffer overflows and injection attacks to configuration errors and denial-of-service conditions that affect the stability and confidentiality of database deployments. The content covers reported vulnerabilities from their initial disclosure through to current patch availability, providing a comprehensive view of the threat landscape. Users can track vendor-specific advisories issued by MongoDB Inc. to stay informed about emerging threats and required mitigations. The resource enables analysts to understand the specific characteristics and implications of particular weakness classes as they apply to this database engine. Additionally, it allows users to look up the complete vulnerability history of MongoDB Server releases to assess past security incidents and evaluate the product’s security posture over time. This centralized approach simplifies the process of monitoring security updates and understanding the context of each flaw. By consolidating these details, the page supports security professionals, developers, and administrators in making informed decisions about system hardening and upgrade schedules. The information presented is derived from official vendor disclosures and independent security research, ensuring accuracy and relevance for operational risk management.

Vendor: MongoDB Inc.

CVE IDTitleCVSSSeverityPublished
CVE-2026-9740 Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow CWE-674 7.5 High2026-06-09
CVE-2026-9735 Keyfile contents are in MongoDB Server logs CWE-532 5.5 Medium2026-06-09
CVE-2026-9753 Server crash via malformed binary diff passed to $_internalApplyOplogUpdate. CWE-1287 8.1 High2026-06-09
CVE-2026-9752 GeometryCollection with strict-winding polygon causes server crash during 2dsphere index key generation CWE-476 6.5 Medium2026-06-09
CVE-2026-9751 Sensitive data could be written to mongod.log CWE-532 5.5 Medium2026-06-09
CVE-2026-9750 Metadata name collision on $-prefixed fields causes post-auth server crash CWE-617 6.5 Medium2026-06-09
CVE-2026-9749 Using MaxKey() may crash the server CWE-617 6.5 Medium2026-06-09
CVE-2026-9748 $_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input CWE-617 6.5 Medium2026-06-09
CVE-2026-9747 Crafted cross-shard merge aggregation crashes MongoDB Server CWE-617 6.5 Medium2026-06-09
CVE-2026-9746 Server crashes in case of the use of exchange CWE-617 6.5 Medium2026-06-09
CVE-2026-9743 Aggregation sub-pipeline null dereference may allow DoS via crafted getMore CWE-476 6.5 Medium2026-06-09
CVE-2026-9742 Authenticate command with specific mechanism parameter can trigger server crash CWE-1287 7.5 High2026-06-09
CVE-2026-9741 Client side encryption fails to encrypt values in a $vectorSearch CWE-319 6.5 Medium2026-06-09
CVE-2026-8843 Calling createIndex with certain index types can crash mongod CWE-617 6.5 Medium2026-05-18
CVE-2026-8202 Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators CWE-770 4.3 Medium2026-05-13
CVE-2026-8336 Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands CWE-416 7.5 High2026-05-13
CVE-2026-8201 Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields CWE-416 6.4 Medium2026-05-13
CVE-2026-8200 Schema validation log messages may not redact user data CWE-532 2.7 Low2026-05-13
CVE-2026-8199 Post-auth memory exhaustion via bitwise match expressions CWE-1325 6.5 Medium2026-05-13
CVE-2026-8053 FlatBSON Duplicate Field Index Drift CWE-787 8.8 High2026-05-12
CVE-2026-8063 Post-auth null pointer dereference when aggregating against a view with empty search pipeline CWE-476 6.5 Medium2026-05-07
CVE-2026-6915 Flaw in the updateUser Command May Allow Unauthorized Configuration Change CWE-1284 6.3 Medium2026-04-29
CVE-2026-6914 MD5 checksum creation may cause availability loss CWE-191 6.5 Medium2026-04-29
CVE-2026-5170 Users could trigger a crash of mongod primaries during promotion to sharded CWE-617 5.3 Medium2026-03-30
CVE-2026-4358 Memory safety issues in slot-based execution hash table spill CWE-415 6.4 Medium2026-03-17
CVE-2026-4148 ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators CWE-416 8.8 High2026-03-17
CVE-2026-4147 Stack memory disclosure in filemd5 command CWE-457 6.5 Medium2026-03-17
CVE-2026-25613 An unsafe cast in the MongoDB query planner can result in a segmentation fault. CWE-704 6.5 Medium2026-02-10
CVE-2026-1849 Mongod can run out of stack memory when expressions create deeply nested documents CWE-674 6.5 Medium2026-02-10
CVE-2026-1850 An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification CWE-770 6.5 Medium2026-02-10

All 97 known CVE vulnerabilities affecting MongoDB server with full Chinese analysis, references, and POCs where available.