CVE-2026-5170
Received Received - Intake
Denial of Service via Crash in MongoDB mongod During Cluster Promotion

Publication date: 2026-03-30

Last updated on: 2026-04-02

Assigner: MongoDB, Inc.

Description
A user with access to the cluster with a limited set of privilege actions can trigger a crash of aΒ mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5170
EUVD
EUVD-2026-17115
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mongodb mongodb From 8.2.0 (inc) to 8.2.2 (exc)
mongodb mongodb From 8.0.0 (inc) to 8.0.18 (exc)
mongodb mongodb From 7.0.0 (inc) to 7.0.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when a user with limited privileges on a MongoDB cluster triggers a crash of the mongod process. The crash happens during a brief and unpredictable period when the cluster is being promoted from a replica set to a sharded cluster.

The crash can cause a denial of service by taking down the primary node of the replica set, disrupting the availability of the database.

Impact Analysis

The main impact of this vulnerability is a denial of service condition. By crashing the primary node of the replica set, the database service can become unavailable temporarily, affecting applications and users relying on it.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your MongoDB Server to a fixed version. Specifically, upgrade to MongoDB Server version 8.2.2 or later if you are using the 8.2 series, or to versions later than 8.0.18 for the 8.0 series, or later than 7.0.31 for the 7.0 series.

Additionally, restrict user privileges to prevent users with limited privilege actions from triggering the crash during the cluster promotion process.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart