CVE-2026-5170
Denial of Service via Crash in MongoDB mongod During Cluster Promotion
Publication date: 2026-03-30
Last updated on: 2026-04-02
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | mongodb | From 8.2.0 (inc) to 8.2.2 (exc) |
| mongodb | mongodb | From 8.0.0 (inc) to 8.0.18 (exc) |
| mongodb | mongodb | From 7.0.0 (inc) to 7.0.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when a user with limited privileges on a MongoDB cluster triggers a crash of the mongod process. The crash happens during a brief and unpredictable period when the cluster is being promoted from a replica set to a sharded cluster.
The crash can cause a denial of service by taking down the primary node of the replica set, disrupting the availability of the database.
How can this vulnerability impact me? :
The main impact of this vulnerability is a denial of service condition. By crashing the primary node of the replica set, the database service can become unavailable temporarily, affecting applications and users relying on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your MongoDB Server to a fixed version. Specifically, upgrade to MongoDB Server version 8.2.2 or later if you are using the 8.2 series, or to versions later than 8.0.18 for the 8.0 series, or later than 7.0.31 for the 7.0 series.
Additionally, restrict user privileges to prevent users with limited privilege actions from triggering the crash during the cluster promotion process.