NEWGet the latest CVEs, security bulletins, and incident updates on our Security Bulletins page. Learn more >

MongoDB Alerts

This page lists critical alerts and advisories for MongoDB. See the MongoDB JIRA for a comprehensive list of bugs and feature requests.

General

Data integrity related

Operations Related

Security Related

General

MongoDB Security Notice

1/23/24 - 6:00 PM EST

MongoDB has published a Post Event Summary for the security incident first reported here on December 16, 2023, US Eastern time (EST). As a reminder, our investigation is complete and closed, with our findings verified by our third-party forensic experts.

1/03/24 - 5:00 PM EST

Our investigation of the security incident first reported here on December 16, 2023, US Eastern time (EST) is now complete and closed.

The investigation led by our security and engineering teams uncovered no evidence of unauthorized access to MongoDB Atlas clusters. This finding has been verified by our third-party forensic experts.

We are committed to being timely and transparent with details about this Security Incident. We plan to release a post event summary as soon as practicable.

All updates >

1/23/24 - 6:00 PM EST

MongoDB has published a Post Event Summary for the security incident first reported here on December 16, 2023, US Eastern time (EST). As a reminder, our investigation is complete and closed, with our findings verified by our third-party forensic experts.

1/03/24 - 5:00 PM EST

Our investigation of the security incident first reported here on December 16, 2023, US Eastern time (EST) is now complete and closed.

The investigation led by our security and engineering teams uncovered no evidence of unauthorized access to MongoDB Atlas clusters. This finding has been verified by our third-party forensic experts.

We are committed to being timely and transparent with details about this Security Incident. We plan to release a post event summary as soon as practicable.

12/20/23 - 9:00 PM EST

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system.

Based on the investigation to date, the unauthorized third party used a phishing attack to gain access to some of the corporate applications that we use to provide support services to MongoDB customers. In collaboration with outside forensic experts, we currently have a high level of confidence that the unauthorized third party has been removed from our corporate applications and that this incident is contained.

We have identified a list of contact information and related account metadata that the unauthorized third party accessed from the compromised applications. We are providing the list of fields in the blog post linked below, along with incremental guidance about the indicators of compromise (IOCs) provided in our previous alert.

Read the blog for details

As previously disclosed, the unauthorized third party primarily accessed MongoDB customer contact information and related account metadata. Over the last 24 hours, MongoDB personnel have individually contacted any customers with exposure beyond the fields listed in our blog post. This was a separate communication from the initial security notice sent over this past weekend.

Moving forward, we will provide updates when we have notable new information.

12/18/23 - 9:00 PM EST

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter.

At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized party:

Indicators of Compromise (IOCs)

The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses:

    • 107.150.22.47
    • 138.199.6.199
    • 146.70.187.157
    • 179.43.189.85
    • 185.156.46.165
    • 198.44.136.69
    • 198.44.136.71
    • 198.44.140.133
    • 198.44.140.199
    • 199.116.118.207
    • 206.217.205.88
    • 66.63.167.152
    • 66.63.167.154
    • 87.249.134.10
    • 96.44.191.132

We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network.

In regards to our previous guidance, here are instructions on how to enable phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here.

We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate.

12/17/23 - 9:00 PM EST

At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed.

We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter.

12/16/2023 - 05:25 PM EST

We are experiencing a spike in login attempts resulting in issues for customers attempting to log in to Atlas and our Support Portal. This is unrelated to the security incident. Please try again in a few minutes if you are still having trouble logging in. [The issue involving user login attempts has been resolved as of 10:22 PM EST]

12/16/2023 - 03:00 PM EST

MongoDB is actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information. We detected suspicious activity on Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately activated our incident response process, and believe that this unauthorized access has been going on for some period of time before discovery. At this time, we are not aware of any exposure to the data that customers store in MongoDB Atlas. Nevertheless, we recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords. MongoDB will update this alert page with additional information as we continue to investigate the matter.

Data Integrity Related

10/09/2025

Under certain situations, when running a join ($lookup, $graphLookup or $unionWith) in one database, followed by a $merge or $out written into another database, the join can read the wrong collection if the foreign collection of the join stage and the output collection of the $merge or $out stage have the same name. This will result in incorrect or missing results in the output collection.

Affects:

MongoDB Server, MongoDB Atlas

versions:

6.0 - 6.0.26
7.0 - 7.0.21
8.0 - 8.0.9

Reference Link →
09/16/2025

When restoring from a backup, mongorestore silently ignores namespaces containing a newline character, without logging any warning messages. This affects mongorestore versions 3.3.11-100.12.1. Please upgrade to version 100.12.2 or later. This issue also affects namespaces containing newlines on Atlas Flex-tier backup snapshots, and Free-tier clusters that have been in a paused state. In both these scenarios, Atlas uses mongorestore behind the scenes and the fix has already been applied.

Affects:

Atlas, mongorestore

versions:

3.3.11 - 100.12.1

Reference Link →
08/07/2025

Time series data can be corrupted if double-precision metrics are inserted in a pattern of multiple successive values with identical non-zero deltas, followed by a measurement where the metric is missing, into a time series collection for a specific meta value and adjacent time range.

Affects:

MongoDB Server

versions:

8.0.0 - 8.0.7

Reference Link →
08/07/2025

Performing deletes on time-series collection with a non-metaField filter followed by inserts on an adjacent time range, can result in data inserted after the delete to be prematurely TTL expired and/or missing from query results.

Affects:

Atlas, MongoDB Server

versions:

7.0.0 - 7.0.15
8.0.0 - 8.0.3

Reference Link →
07/16/2025

Combined alert for MongoDB Relational Migrator with multiple data integrity issues affecting data migrations from relational databases into MongoDB. These affect Snapshot migrations that contain specific mappings for cyclic dependency loops, ‘array-in-doc-in-array’ nested embeddings, or use of the idempotency user setting. These also affect Continuous (CDC) migrations.

Affects:

Relational Migrator

versions:

1.0.0-1.13.2

Reference Link →
06/17/2025

Certain queries that involve an $elemMatch expression with string predicates may use an index with incompatible collation due to a plan cache bug. Impacted queries can return results which miss documents that should have been included. Write operations that rely on queries that incorrectly miss documents may not correctly update those documents. This includes updates, deletes, and $merge/$out aggregations with impacted query filters.

Affects:

MongoDB Server

versions:

6.0.0-6.0.23
7.0.0-7.0.20
8.0.0-8.0.9

Reference Link →
04/08/2025

A bug, under certain circumstances, may cause a simple equality (non-_id) predicate query on sharded collections to report no results when a valid result exists.

Affects:

Atlas, MongoDB Server

versions:

8.0 - 8.0.4

Reference Link →
03/19/2025

When enabling the useBigInt64 option (disabled by default) to deserialize a value through the bson JavaScript library (which is included in the MongoDB Node.js driver), negative Int64 values can be parsed as large positive values (greater than 9,223,372,036,854,775,807).

Affects:

JavaScript bson library, MongoDB Node.js driver, MongoDB Shell, Compass, VS Code Extension

versions:

bson library 6.4.0 - 6.10.2
MongoDB Node.js driver 6.0.0 - 6.13.0
Mongoose 8.3.5 - 8.10.1
MongoDB Shell 2.2.0 - 2.3.9
Compass 1.42.3-beta.4 - 1.45.3
VSCode Extension 1.6.1 - 1.12.0

Reference Link →
03/03/2025

In certain situations, a resharded collection may have had retryable writes repeated on its documents multiple times.

Affects:

MongoDB Server

versions:

5.0.0 - 5.0.30
6.0.0 - 6.0.16
7.0.0 - 7.0.12
8.0.0 - 8.0.3

Reference Link →
01/29/2025

Time Series collections may experience data loss when multiple documents are inserted concurrently with “ordered: false” and retryable writes are enabled.

Affects:

Atlas, MongoDB Server

versions:

7.0.0-7.0.15
8.0.0-8.0.3

Reference Link →
01/29/2025

Performing a delete with a non-metadata filter on a time-series collection that is sharded on the time field may result in data loss.

Affects:

Atlas, MongoDB Server

versions:

7.0.0 - 7.0.15
8.0.0 - 8.0.3

Reference Link →
12/11/2024

A reshardCollection operation on a cluster with at least two shards can potentially omit a collections catalog entry in a shards local catalog if a movePrimary operation had previously been issued on the same cluster. This impacts operations involving data migration that lookup the database cache namely movePrimary, reshardCollection, moveRange, and moveChunk.

Affects:

MongoDB Server

versions:

5.0.0 - 5.0.25
6.0.0 - 6.0.14
7.0.0 - 7.0.7
7.3.0 - 7.3.1

Reference Link →
10/24/2024

Queries may return incomplete results when Time Series collections created prior to MongoDB 5.2 have been upgraded to MongoDB 6.0 or newer prior to those collections being cloned. Relatedly, Time Series collections on MongoDB Rapid Releases 7.1.0-7.3.3 that had their collection granularity changed via collMod while on those versions, may have also returned incomplete query results.

Affects:

Atlas, MongoDB Server

versions:

6.0.0 - 6.0.16
7.0.0 - 7.0.12
7.1.0 - 7.3.3

Reference Link →
10/03/2024

A bug can cause incorrect results or crashes when running certain aggregation pipelines containing $group and $lookup while on MongoDB Server version 6.0.17.

Affects:

MongoDB Server

versions:

6.0.17

Reference Link →
09/10/2024

The Node.js v22.7.0 runtime contains a regression related to its handling of UTF-8 encoding that can impact the data integrity of applications using the MongoDB Node.js driver. MongoDB does not use the affected Node.js version in any of its products, however, developers using MongoDB’s Node.js driver could experience data integrity issues when data is written to their clusters via the Node.js v22.7.0 runtime.

Affects:

MongoDB Node.js driver

versions:

Any MongoDB Node.js driver version if data was written using Node.js v22.7.0

Reference Link →
08/15/2024

To balance load and maintain a high quality of service, the Atlas Serverless system occasionally migrates data of serverless instances between different database servers. Certain multi-write, non-transactional database commands are not safely auto-retried by Atlas Serverless upon migration completion, which can lead to incorrect updates and deletes behavior.

Affects:

Atlas Serverless

versions:

5.0+

Reference Link →
07/02/2024

Issues during the initial data copy in mongosync 1.1.0 – 1.7.1 may lead to some writes or documents on the source not being replicated to the destination. Upgrade to mongosync version 1.7.2 or later. Atlas Live Migrate relies on mongosync for migrations to MongoDB 6.0+ and the fix has been applied to Atlas Live Migrate.

Affects:

Cluster-to-Cluster Sync (mongosync)

versions:

1.1.0 - 1.7.1

Reference Link →
04/15/2024

Issues affecting multi-document transactions on sharded clusters which can cause sharded multi-document transactions to return incorrect data and possibly miss writes.

Affects:

MongoDB Server

versions:

4.4.0 - 4.4.29
5.0.0 - 5.0.25
6.0.0 - 6.0.14
7.0.0 - 7.0.8
7.1.0 - 7.3.1

Reference Link →
02/20/2024

An issue in mongodump can cause keys in collection options to be dumped in the wrong order. These alterations could change the result set returned by a view or change which documents are accepted by a validator.

Affects:

Atlas, Mongodump

versions:

A fix has been released on Atlas, but free or shared clusters may have been impacted in the past.
Mongodump 4.2.0 - 100.9.0

Reference Link →
11/29/2023

An issue affecting inserts to Sharded Time Series collections can result in inserted documents on these collections to be immediately orphaned, leading to documents not being returned by queries and potential data loss.

Affects:

MongoDB Server

versions:

5.0.6 - 5.0.21
6.0.0 - 6.0.11
7.0.0 - 7.0.2

Reference Link →
11/10/2023

A race condition in mongosync 1.5 can lead to some writes on the source not being replicated to the destination. Upgrade to version 1.6 or later.

Affects:

Cluster-to-Cluster Sync (mongosync)

versions:

1.5.0

Reference Link →
05/23/2023

A storage engine issue can cause inconsistent incremental Ops Manager and Cloud Manager backups. Clusters restored from affected incremental backups can crash with checksum errors. Atlas customers/backups are not affected.

Affects:

Ops Manager and Cloud Manager

versions:

4.4.8 - 4.4.21
5.0.2 - 5.0.17
6.0.0 - 6.0.5

Reference Link →
03/14/2023

A storage engine bug in MongoDB running on ARM64 or POWER architectures may store documents or index entries out of order, leading to inconsistencies and improperly sorted or incomplete query results.

Affects:

MongoDB Server

versions:

4.2.0 - 4.2.23
4.4.0 - 4.4.18
5.0.0 - 5.0.14
6.0.0 - 6.0.4
6.1.0 - 6.2.0

Reference Link →
09/19/2022

A MongoDB agent issue in Atlas, Ops Manager, and Cloud Manager can cause automated "rolling index builds" to introduce index inconsistencies. MongoDB clusters on other platforms are not affected.

Affects:

Atlas, Ops Manager, and Cloud Manager

versions:

MongoDB versions 4.2.19+, 4.4.13+, 5.0.6+, 5.1-5.3, and 6.0.0+ running on:
- Atlas - a fix has been released on Atlas, but clusters may have been impacted in the past.
- Ops Manager versions 5.0.10-5.0.14 and 6.0.0-6.0.2
- Cloud Manager running MongoDB Agent version from 11.13.0.7438-1 to 12.4.0.7702-1

Reference Link →
08/11/2022

A behavior change for improperly configured time-to-live (TTL) indexes can suddenly expire documents when upgrading to MongoDB 5.0 or 6.0 from version 4.4 or earlier.

Affects:

MongoDB Server

versions:

5.0.X
6.0.X

Reference Link →
08/10/2022

A sharding metadata bug in MongoDB versions 5.0.0-5.0.10 and 6.0.0 can introduce corruption during a movePrimary command.

Affects:

MongoDB Server

versions:

5.0.0 - 5.0.10
6.0.0

Reference Link →
11/12/2021

A storage engine bug in MongoDB 4.4.3 and 4.4.4 can introduce corruption when upgrading to 4.4.8-4.4.10 or 5.0.2-5.0.5. It is safe to upgrade from versions 4.4.3 and 4.4.4 directly to 4.4.11+ or 5.0.6+

Affects:

MongoDB Server

versions:

4.4.3
4.4.4

Reference Link →
09/22/2021

A storage engine bug in MongoDB 4.4.2-4.4.8, and 5.0.0-5.0.2 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9 or 5.0.3.

Affects:

MongoDB Server

versions:

4.4.2-4.4.8
5.0.0-5.0.2

Reference Link →
09/22/2021

A storage engine bug in MongoDB 4.4.8 can cause inconsistent data after an unclean shutdown and restart. Upgrade to version 4.4.9.

Affects:

MongoDB Server

versions:

4.4.8

Reference Link →
08/06/2021

A storage engine bug in MongoDB 4.4.7, 5.0.0, and 5.0.1 allows some inserts to violate unique index constraints. Upgrade to version 4.4.8 or 5.0.2.

Affects:

MongoDB Server

versions:

4.4.7
5.0.0
5.0.1

Reference Link →
05/19/2021

A storage engine bug in MongoDB 4.4.5 causes crashes on startup and may cause temporary query correctness issues. Upgrade to version 4.4.6.

Affects:

MongoDB Server

versions:

4.4.5

Reference Link →
10/12/2020

Possible Corruption of Backup Snapshots on certain MongoDB 4.2+ Products

Affects:

MongoDB Server

versions:

4.2+

Reference Link →
06/16/2020

Possible buffer overflow may result cause in-memory corruption on MongoDB 4.2.7 with incremental backup enabled.

Affects:

MongoDB Server

versions:

4.2.7

Reference Link →
01/09/2020

A memory management bug can cause lost documents and index inconsistencies on replica set secondaries that restart during index builds.

Affects:

MongoDB Server

versions:

4.2.0
4.2.1

Reference Link →
01/07/2020

When MongoDB recovers from an unclean shutdown, it is possible for the recovery process to corrupt documents that have received size-changing updates.

Affects:

MongoDB Server

versions:

3.6.14
3.6.15

Reference Link →
09/23/2019

A memory management bug can cause failed operations, process crashes, and in-memory corruption of data that may be persisted to disk.

Affects:

MongoDB Server

versions:

4.2.0

Reference Link →
02/22/2018

We have identified a bug in MongoDB Compass where modification or deletion of a document through Compass may occur on a different document than expected under certain specific conditions.

Affects:

Compass

versions:

1.3.x - 1.11.1

Reference Link →
05/03/2016

While a background index build is in progress, document updates modifying fields contained in the index specification may, under specific circumstances, cause mismatched index entries to appear. This has an impact on queries that use affected indexes.

Affects:

Indexing

versions:

3.0
3.2

Reference Link →
03/30/2016

During chunk migrations, insert and update operations affecting data within a migrating chunk are not reflected to the recipient shard, resulting in data loss.

Affects:

Sharding

versions:

3.0.9
3.0.10

Reference Link →
12/16/2015

In a replica set, if a secondary node is shut down cleanly while replicating writes, the node may mark certain replicated operations as successfully applied even though they have not.

Affects:

Replication

versions:

3.2.0

Reference Link →
12/09/2015

A race condition in WiredTiger may prevent a write operation from becoming immediately visible to subsequent read operations, which may result in various problems, primarily impacting replication.

Affects:

WiredTiger

versions:

3.0.0 - 3.0.7

Reference Link →
06/15/2015

Sharded clusters where the balancer is enabled (or there are manual chunk migrations), containing WiredTiger nodes that may become primary, may lose writes to a chunk being migrated if that chunk is under a heavy write load.

Affects:

Sharding

versions:

3.0.0 - 3.0.3

Reference Link →
10/02/2014

MongoDB installations on certain 3.x Linux kernels running on VMWare and using virtual SCSI disks managed by LVM may see corruption in namespace (.ns) files.

Affects:

Storage

versions:

2.4.11
2.6.4

Reference Link →
08/03/2014

An update to a text-indexed field may fail to update the text index. As a result, a text search may not match the field contents, yielding incorrect search results.

Affects:

Text Search

versions:

2.4.0 - 2.4.10
2.6.0

Reference Link →
01/01/2014

Under very rare circumstances mongos may incorrectly report a write as successful.

Affects:

Sharding

versions:

2.2.0 - 2.2.6
2.4.0 - 2.4.8

Reference Link →
10/21/2013

During a chunk migration in a sharded cluster, if one of the documents in the chunk has a size in the range of 16,776,185 and 16,777,216 bytes (inclusive), then some documents may be lost during the migration process

Affects:

Sharding

versions:

2.2.0 - 2.2.5
2.4.0 - 2.4.4

Reference Link →
03/21/2013

Secondary indexes (i.e. all indexes other than _id) may be corrupted on an initial sync if write operations are performed on the sync source during the initial sync.

Affects:

Replication

versions:

2.4.0

Reference Link →

Operations Related

09/30/2025

Third-party distributions of the MongoDB Shell, such as those installed by the Homebrew or npm package managers, can be affected by a Node.js REPL bug that may cause unintended side effects to occur during autocomplete.

Affects:

MongoDB Shell (“mongosh”)

versions:

mongosh before version 2.5.8 in combination with Node.js versions 20.19.5 – 24.7.0

Reference Link →
09/11/2025

When MongoDB is configured for FIPS mode on Linux operating systems which use OpenSSL 3 for cryptographic operations, MongoDB may use cryptographic algorithms from non-FIPS providers. This may allow clients to connect to a FIPS-mode MongoDB with TLS using non-FIPS-compliant cryptographic algorithms.

Affects:

MongoDB Server

versions:

6.0.0 - 6.0.25
7.0.0 - 7.0.22
8.0.0 - 8.0.12

Reference Link →
10/29/2013

Caching of dbhash results may result in stale values, potentially causing disagreement among sharded cluster config servers.

Affects:

MongoDB Server

versions:

2.4.7

Reference Link →

Common Vulnerabilities and Exposures (CVEs)

10/23/2025
CVE-2025-12100

MongoDB BI Connector ODBC driver installation via MSI may leave ACLs unset on custom installation directories

Incorrect Default Permissions vulnerability in MongoDB BI Connector ODBC driver allows Pri...

Affects:

BI Connector ODBC driver

Versions:

1.0.0 affects 1.4.6 and prior versions

Reference Link →
10/23/2025
CVE-2025-11575

MongoDB Atlas SQL ODBC driver installation via MSI may leave ACLs unset on custom installation directories

Incorrect Default Permissions vulnerability in MongoDB Atlas SQL ODBC driver on Windows al...

Affects:

Atlas SQL ODBC driver

Versions:

1.0.0 affects 2.0.0 and prior versions

Reference Link →
10/20/2025
CVE-2025-11979
5.3

Use-after-free in the MongoDB server query planner may lead to crash or undefined behavior

An authorized user may crash the MongoDB server by causing buffer over-read. This can be d...

Affects:

Server

Versions:

8.2.0
8.0.0 affects versions prior to 8.0.14
7.0.0 affects versions prior to 7.0.25

Reference Link →
10/13/2025
CVE-2025-11695
8

Configuration may unexpectedly disable certificate validation

When tlsInsecure=False appears in a connection string, certificate validation is disabled....

Affects:

Rust Driver

Versions:

affects versions prior to v3.2.5

Reference Link →
10/08/2025
CVE-2025-11535

MongoDB Connector for BI installation MSI leave ACLs unset on custom installation directories

MongoDB Connector for BI installation via MSI on Windows leaves ACLs unset on custom insta...

Affects:

MongoDB Connector for BI

Versions:

2.0.0 affects 2.14.24 and prior versions

Reference Link →
09/15/2025
CVE-2025-10491
7.8

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directori...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.25
7.0 affects versions prior to 7.0.21
8.0 affects versions prior to 8.0.5

Reference Link →
09/05/2025
CVE-2025-10061
6.5

Malformed $group Query May Cause MongoDB Server to Crash

An authorized user can cause a crash in the MongoDB Server through a specially crafted $gr...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.25
7.0 affects versions prior to 7.0.22
8.0 affects versions prior to 8.0.12
8.1 affects versions prior to 8.1.2

Reference Link →
09/05/2025
CVE-2025-10060
6.5

MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation

MongoDB Server may allow upsert operations retried within a transaction to violate unique ...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.25
7.0 affects versions prior to 7.0.22
8.0 affects versions prior to 8.0.12

Reference Link →
09/05/2025
CVE-2025-10059
6.5

MongoDB Server router will crash when incorrect lsid is set on a sharded query

An improper setting of the lsid field on any sharded query can cause a crash in MongoDB ro...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.24
7.0 affects versions prior to 7.0.18
8.0 affects versions prior to 8.0.6

Reference Link →
07/07/2025
CVE-2025-7259
6.5

Certain Queries with Duplicate _id Fields May Cause MongoDB Server to Crash

An authorized user can issue queries with duplicate _id fields, that leads to unexpected b...

Affects:

MongoDB Server

Versions:

8.1 affects 8.1.0 and prior versions

Reference Link →
07/07/2025
CVE-2025-6714
7.5

Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections

MongoDB Server's mongos component can become unresponsive to new connections due to incorr...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.23
7.0 affects versions prior to 7.0.20
8.0 affects versions prior to 8.0.9

Reference Link →
07/07/2025
CVE-2025-6713
7.7

MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage

An unauthorized user may leverage a specially crafted aggregation pipeline to access data ...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.22
7.0 affects versions prior to 7.0.19
8.0 affects versions prior to 8.0.7

Reference Link →
07/07/2025
CVE-2025-6712
6.5

MongoDB Server may be susceptible to DoS due to Accumulated Memory Allocation

MongoDB Server may be susceptible to disruption caused by high memory usage, potentially l...

Affects:

MongoDB Server

Versions:

8.0 affects versions prior to 8.0.10

Reference Link →
07/07/2025
CVE-2025-6711
4.4

Incomplete Redaction of Sensitive Information in MongoDB Server Logs

An issue has been identified in MongoDB Server where unredacted queries may inadvertently ...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.21
7.0 affects versions prior to 7.0.18
8.0 affects versions prior to 8.0.5

Reference Link →
06/26/2025
CVE-2025-6710
7.5

Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where s...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.21
7.0 affects versions prior to 7.0.17
8.0 affects versions prior to 8.0.5

Reference Link →
06/26/2025
CVE-2025-6709
7.5

Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication

The MongoDB Server is susceptible to a denial of service vulnerability due to improper han...

Affects:

MongoDB Server

Versions:

7.0 affects versions prior to 7.0.17
8.0 affects versions prior to 8.0.5
6.0 affects versions prior to 6.0.21

Reference Link →
06/26/2025
CVE-2025-6707
4.2

Race condition in privilege cache invalidation cycle

Under certain conditions, an authenticated user request may execute with stale privileges ...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.31
6.0 affects versions prior to 6.0.24
7.0 affects versions prior to 7.0.21
8.0 affects versions prior to 8.0.5

Reference Link →
06/26/2025
CVE-2025-6706
5

Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server

An authenticated user may trigger a use after free that may result in MongoDB Server crash...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.21
7.0 affects versions prior to 7.0.17
8.0 affects versions prior to 8.0.4

Reference Link →
04/01/2025
CVE-2025-3085
8.1

MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked

A MongoDB server under specific conditions running on Linux with TLS and CRL revocation st...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.31
6.0 affects versions prior to 6.0.20
7.0 affects versions prior to 7.0.16
8.0. affects versions prior to 8.0.4

Reference Link →
04/01/2025
CVE-2025-3084
6.5

MongoDB Server may crash due to improper validation of explain command

When run on commands with certain arguments set, explain may fail to validate these argume...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.31
6.0 affects versions prior to 6.0.20
7.0 affects versions prior to 7.0.16
8.0 affects versions prior to 8.0.4

Reference Link →
04/01/2025
CVE-2025-3083
7.5

Malformed MongoDB wire protocol messages may cause mongos to crash

Specifically crafted MongoDB wire protocol messages can cause mongos to crash during comma...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.31
6.0 affects versions prior to 6.0.20
7.0. affects versions prior to 7.0.16

Reference Link →
04/01/2025
CVE-2025-3082
3.1

User may override a view's collation and gain unauthorized access to underlying data

A user authorized to access a view may be able to alter the intended collation, allowing t...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.31
6.0 affects versions prior to 6.0.20
7.0 affects versions prior to 7.0.14
7.3 affects versions prior to 7.3.4

Reference Link →
03/18/2025
CVE-2025-0755
8.4

MongoDB C Driver bson library may be susceptible to buffer overflow

The various bson_append functions in the MongoDB C driver library may be susceptible to bu...

Affects:

libbson

Versions:

affects versions prior to 1.27.5

Affects:

MongoDB Server

Versions:

8.0 affects versions prior to 8.0.1
7.0 affects versions prior to 7.0.16

Reference Link →
02/27/2025
CVE-2025-1756
7.5

MongoDB Shell may be susceptible to local privilege escalation in Windows

mongosh may be susceptible to local privilege escalation under certain conditions potentia...

Affects:

mongosh

Versions:

affects versions prior to 2.3.0

Reference Link →
02/27/2025
CVE-2025-1755
7.5

MongoDB Compass may be susceptible to local privilege escalation in Windows

MongoDB Compass may be susceptible to local privilege escalation under certain conditions ...

Affects:

MongoDB Compass

Versions:

affects versions prior to 1.42.1

Reference Link →
02/27/2025
CVE-2025-1693
3.9

MongoDB Shell may be susceptible to control character Injection via shell output

The MongoDB Shell may be susceptible to control character injection where an attacker with...

Affects:

mongosh

Versions:

affects versions prior to 2.3.9

Reference Link →
02/27/2025
CVE-2025-1692
6.3

MongoDB Shell may be susceptible to control character injection via pasting

The MongoDB Shell may be susceptible to control character injection where an attacker with...

Affects:

mongosh

Versions:

affects versions prior to 2.3.9

Reference Link →
02/27/2025
CVE-2025-1691
7.6

MongoDB Shell may be susceptible to Control Character Injection via autocomplete

The MongoDB Shell may be susceptible to control character injection where an attacker with...

Affects:

mongosh

Versions:

affects versions prior to 2.3.9

Reference Link →
11/14/2024
CVE-2024-10921
6.8

Improper neutralization of null bytes may lead to buffer over-reads in MongoDB Server

An authorized user may trigger crashes or receive the contents of buffer over-reads of Ser...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.30
6.0 affects versions prior to 6.0.19
7.0 affects versions prior to 7.0.15
8.0 affects versions prior to 8.0.3

Reference Link →
10/28/2024
CVE-2024-8013
2.2

CSFLE and Queryable Encryption self-lookup may fail to encrypt values in subpipelines

A bug in query analysis of certain complex self-referential $lookup subpipelines may resul...

Affects:

mongocryptd

Versions:

5.0 affects versions prior to 5.0.29
6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.012
7.3 affects versions prior to 7.3.4

Affects:

Mongo_crypt_v1.so

Versions:

6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.0.12
7.3 affects versions prior to 7.3.4

Reference Link →
10/21/2024
CVE-2024-8305
6.5

MongoDB Server secondaries may crash due to forced index constraints

prepareUnique index may cause secondaries to crash due to incorrect enforcement of index c...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.17
7.0 affects versions prior to 7.0.13
7.3 affects versions prior to 7.3.4

Reference Link →
09/10/2024
CVE-2024-8654
5

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour...

Affects:

MongoDB Server

Versions:

6.0.3

Reference Link →
08/27/2024
CVE-2024-8207
6.4

MongoDB Server binaries may load potentially insecure shared libraries from specific relative paths

In certain highly specific configurations of the host system and MongoDB server binary ins...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.3
5.0 affects versions prior to 5.0.14

Reference Link →
08/13/2024
CVE-2024-6384
5.3

Backup files may be downloaded by underprivileged users in MongoDB Enterprise Server

"Hot" backup files may be downloaded by underprivileged users, if they are capable of acqu...

Affects:

MongoDB Server

Versions:

6.0 affects versions prior to 6.0.16
7.0 affects versions prior to 7.0.11
7.3 affects versions prior to 7.3.3

Reference Link →
08/07/2024
CVE-2024-7553
7.3

Accessing Untrusted Directory May Allow Local Privilege Escalation

Incorrect validation of files loaded from a local untrusted directory may allow local priv...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.27
6.0 affects versions prior to 6.0.16
7.0 affects versions prior to 7.0.12
7.3 affects versions prior to 7.3.3

Affects:

MongoDB C Driver

Versions:

affects versions prior to 1.26.2

Affects:

MongoDB PHP Driver

Versions:

affects versions prior to 1.18.1

Reference Link →
07/03/2024
CVE-2024-6383
5.3

MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow

The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow...

Affects:

libbson

Versions:

0 affects versions prior to 1.27.1

Reference Link →
07/02/2024
CVE-2024-6382
6.4

Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.

Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing...

Affects:

MongoDB Rust Driver

Versions:

2.0 affects versions prior to 2.8.2

Reference Link →
07/02/2024
CVE-2024-6381
4

MongoDB C Driver bson_strfreev may be susceptible to integer overflow

The bson_strfreev function in the MongoDB C driver library may be susceptible to an intege...

Affects:

libbson

Versions:

affects versions prior to 1.26.2

Reference Link →
07/01/2024
CVE-2024-6376
7

ejson shell parser in MongoDB Compass maybe bypassed

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protectio...

Affects:

MongoDB Compass

Versions:

affects versions prior to 1.42.2

Reference Link →
07/01/2024
CVE-2024-6375
5.4

Missing authorization check may lead to shard key refinement

A command for refining a collection shard key is missing an authorization check. This may ...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.22
6.0 affects versions prior to 6.0.11
7.0 affects versions prior to 7.0.3

Reference Link →
06/05/2024
CVE-2024-5629
4.7

Out-of-bounds read in bson module of PyMongo

An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserializat...

Affects:

PyMongo

Versions:

affects 4.6.2 and prior versions

Reference Link →
05/14/2024
CVE-2024-3374
5.3

MongoDB Server (mongod) may crash when generating ftdc

An unauthenticated user can trigger a fatal assertion in the server while generating ftdc ...

Affects:

MongoDB Server

Versions:

5.0 affects 5.0.16 and prior versions
6.0 affects 6.0.5 and prior versions

Reference Link →
05/14/2024
CVE-2024-3372
7.5

MongoDB Server may have unexpected application behaviour due to invalid BSON

Improper validation of certain metadata input may result in the server not correctly seria...

Affects:

MongoDB Server

Versions:

5.0 affects versions prior to 5.0.25
6.0 affects versions prior to 6.0.14
7.0 affects versions prior to 7.0.6

Reference Link →
04/24/2024
CVE-2024-3371
7.1

Insufficient validation of external input in Compass may enable MITM attacks

MongoDB Compass may accept and use insufficiently validated input from an untrusted extern...

Affects:

MongoDB Compass

Versions:

affects 1.35.0 to 1.42.0

Reference Link →
03/07/2024
CVE-2024-1351
8.8

MongoDB Server may allow successful untrusted connection

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer c...

Affects:

MongoDB Server

versions:

7.0 affects 7.0.5 and prior versions
6.0 affects 6.0.13 and prior versions
5.0 affects 5.0.24 and prior versions
4.4 affects 4.4.28 and prior versions

Reference Link →
01/12/2024
CVE-2023-0437
5.3

MongoDB client C Driver may infinitely loop when validating certain BSON input data

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot b...

Affects:

MongoDB C Driver

versions:

1.0.0 affects versions prior to 1.25.0

Reference Link →
11/07/2023
CVE-2023-0436
4.5

Secret logging may occur in debug mode of Atlas Operator

The affected versions of MongoDB Atlas Kubernetes Operator may print sensitive information...

Affects:

MongoDB Atlas Kubernetes Operator

versions:

1.5.0 affects 1.7.0 and prior versions

Reference Link →
08/29/2023
CVE-2021-32050
4.2

Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data...

Affects:

MongoDB C Driver

Versions:

1.0.0 affects versions prior to 1.17.7

Affects:

MongoDB C++ Driver

Versions:

3.0.0 affects versions prior to 3.7.0

Affects:

MongoDB PHP Driver

Versions:

1.0.0 affects versions prior to 1.9.2

Affects:

MongoDB Swift Driver

Versions:

1.0.0 affects versions prior to 1.1.1

Affects:

MongoDB Node.js Driver

Versions:

3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.17.0
5.0 affects versions prior to 5.8.0

Reference Link →
08/23/2023
CVE-2023-1409
5.3

Certificate validation issue in MongoDB Server running on Windows or macOS

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific...

Affects:

MongoDB Server

versions:

6.3 affects 6.3.2 and prior versions
5.0 affects 5.0.14 and prior versions
4.4 affects 4.4.23 and prior versions

Reference Link →
08/08/2023
CVE-2023-4009
7.2

Privilege Escalation for Project Owner and Project User Admin Roles in Ops Manager

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an...

Affects:

MongoDB Ops Manager

versions:

6.0 affects versions prior to 6.0.17
5.0 affects versions prior to 5.0.22

Reference Link →
06/09/2023
CVE-2023-0342
3.1

MongoDB Ops Manager may disclose sensitive information in Diagnostic Archive

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app...

Affects:

MongoDB Ops Manager

versions:

v5.0 affects versions prior to 5.0.21
v6.0 affects versions prior to 6.0.12

Reference Link →
02/21/2023
CVE-2022-48282
6.6

Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution

Under very specific circumstances (see Required configuration section below), a privileged...

Affects:

MongoDB .NET/C# Driver

versions:

0 affects v2.18.0 and prior versions

Reference Link →
05/11/2022
CVE-2022-24272
6.5

MongoDB Server (mongod) may crash in response to unexpected requests

An authenticated user may trigger an invariant assertion during command dispatch due to in...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.6 and prior versions

Reference Link →
04/12/2022
CVE-2021-32040
6.5

Large aggregation pipelines with a specific stage can crash mongod under default configuration

It may be possible to have an extremely long aggregation pipeline in conjunction with a sp...

Affects:

MongoDB Server

versions:

5.0 affects versions prior to 5.0.4
4.4 affects versions prior to 4.4.11
4.2 affects versions prior to 4.2.16

Reference Link →
02/04/2022
CVE-2021-32036
5.4

Denial of Service and Data Integrity vulnerability in features command

An authenticated user without any specific authorizations may be able to repeatedly invoke...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.3 and prior versions
4.4 affects 4.4.9 and prior versions
4.2 affects 4.2.16 and prior versions
4.0 affects 4.0.28 and prior versions

Reference Link →
01/20/2022
CVE-2021-32039
5.5

MongoDB Extension for VS Code may unexpectedly store credentials locally in clear text

Users with appropriate file access may be able to access unencrypted user credentials save...

Affects:

MongoDB for VS Code

versions:

MongoDB for VS Code affects 0.7.0 and prior versions

Reference Link →
12/15/2021
CVE-2021-20330
6.5

Specific replication command with malformed oplog entries can crash secondaries

An attacker with basic CRUD permissions on a replicated collection can run the applyOps co...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.27
4.2 affects versions prior to 4.2.16
4.4 affects versions prior to 4.4.9

Reference Link →
11/24/2021
CVE-2021-32037
6.5

User may trigger invariant when allowed to send commands directly to shards

An authorized user may trigger an invariant which may result in denial of service or serve...

Affects:

MongoDB Server

versions:

5.0 affects 5.0.2 and prior versions

Reference Link →
08/02/2021
CVE-2021-20332
4.2

MongoDB Rust Driver may publish events containing authentication-related data to a connection pool event listener configured by an application

Specific MongoDB Rust Driver versions can include credentials used by the connection pool ...

Affects:

MongoDB Rust Driver

versions:

2.0.0-alpha
2.0.0-alpha1
1.0.0 affects 1.2.1 and prior versions

Reference Link →
07/23/2021
CVE-2021-20333
5.3

Server log entry spoofing via newline injection

Sending specially crafted commands to a MongoDB Server may result in artificial log entrie...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.10

Reference Link →
06/10/2021
CVE-2021-20329
6.8

Specific cstrings input may not be properly validated in the Go Driver

Specific cstrings input may not be properly validated in the MongoDB Go Driver when marsha...

Affects:

MongoDB Go Driver

versions:

1.0 affects 1.5.0 and prior versions

Reference Link →
05/24/2021
CVE-2021-20331
4.2

MongoDB C# Driver may publish events containing authentication-related data to a command listener configured by an application

Specific versions of the MongoDB C# Driver may erroneously publish events containing authe...

Affects:

MongoDB C# Driver

versions:

2.12 affects 2.12.1 and prior versions

Reference Link →
04/30/2021
CVE-2021-20326
6.5

Specially crafted query may result in a denial of service of mongod

A user authorized to performing a specific type of find query may trigger a denial of serv...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.4

Reference Link →
04/12/2021
CVE-2020-7924
4.2

Specific command line parameter might result in accepting invalid certificate

Usage of specific command line parameter in MongoDB Tools which was originally intended to...

Affects:

MongoDB Database Tools

versions:

3.6.5 affects versions prior to 3.6*
4.0 affects versions prior to 4.0.21
4.2 affects versions prior to 4.2.11
100 affects versions prior to 100.2.0

Reference Link →
04/06/2021
CVE-2021-20334
4.8

Local privilege escalation in MongoDB Compass for Windows

A malicious 3rd party with local access to the Windows machine where MongoDB Compass is in...

Affects:

MongoDB Compass

versions:

1.3.0 affects versions prior to 1.x*

Reference Link →
02/26/2021
CVE-2020-7929
6.5

Specially crafted regex query can cause DoS

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.21
4.0 affects versions prior to 4.0.20

Reference Link →
02/26/2021
CVE-2018-25004
4.9

Invariant failure when explaining a find with a UUID

A user authorized to performing a specific type of query may trigger a denial of service b...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.11
4.0 affects versions prior to 4.0.6

Reference Link →
02/25/2021
CVE-2021-20327
6.4

MongoDB Node.js client side field level encryption library may not be validating KMS certificate

A specific version of the Node.js mongodb-client-encryption module does not perform correc...

Affects:

mongodb-client-encryption module

versions:

1.2.0

Reference Link →
02/25/2021
CVE-2021-20328
6.4

MongoDB Java driver client-side field level encryption not verifying KMS host name

Specific versions of the Java driver that support client-side field level encryption (CSFL...

Affects:

mongo-java-driver

versions:

3.11 affects 3.11.2 and prior versions
3.12 affects 3.12.7 and prior versions

Reference Link →
02/11/2021
CVE-2021-20335
6.7

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turn...

Affects:

Ops Manager

versions:

4.2 affects 4.2.24 and prior versions

Reference Link →
12/01/2020
CVE-2019-20924
6.5

Invariant in IndexBoundsBuilder

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.2

Reference Link →
11/30/2020
CVE-2020-7925
7.5

Denial of Service when processing malformed Role names

Incorrect validation of user input in the role name parser may lead to use of uninitialize...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.0-rc12

Reference Link →
11/30/2020
CVE-2020-7926
6.5

Specific query can cause a DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing a spe...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1

Reference Link →
11/30/2020
CVE-2020-7927
8.1

Potential privilege escalation in Ops Manager API

Specially crafted API calls may allow an authenticated user who holds Organization Owner p...

Affects:

MongoDB Ops Manager

versions:

4.2 affects 4.2.17 and prior versions
4.3 affects 4.3.9 and prior versions
4.4 affects 4.4.2 and prior versions

Reference Link →
11/30/2020
CVE-2019-2392
6.5

$mod can result in UB

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.20
4.0 affects versions prior to 4.0.20
4.2 affects versions prior to 4.2.9
4.4 affects versions prior to 4.4.1

Reference Link →
11/30/2020
CVE-2019-2393
6.5

Crash while joining collections with $lookup

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.15
4.0 affects versions prior to 4.0.13
4.2 affects versions prior to 4.2.1

Reference Link →
11/30/2020
CVE-2019-20923
6.5

Crash while handling internal Javascript exception types

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.7

Reference Link →
11/30/2020
CVE-2018-20802
6.5

Post-auth queries on compound index may crash mongod

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.9
4.0 affects versions prior to 4.0.3

Reference Link →
11/30/2020
CVE-2018-20804
6.5

Invariant failure in applyOps

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.13
4.0 affects versions prior to 4.0.10

Reference Link →
11/30/2020
CVE-2018-20805
6.5

Invariant with $elemMatch

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

3.6 affects versions prior to 3.6.10
4.0 affects versions prior to 4.0.5

Reference Link →
11/24/2020
CVE-2019-20925
7.5

Denial of service via malformed network packet

An unauthenticated client can trigger denial of service by issuing specially crafted wire ...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.1
4.0 affects versions prior to 4.0.13
3.6 affects versions prior to 3.6.15
3.4 affects versions prior to 3.4.24

Reference Link →
11/23/2020
CVE-2020-7928
6.5

Improper neutralization of null byte leads to read overrun

A user authorized to perform database queries may trigger a read overrun and access arbitr...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.1
4.2 affects versions prior to 4.2.9
4.0 affects versions prior to 4.0.20
3.6 affects versions prior to 3.6.20

Reference Link →
11/23/2020
CVE-2018-20803
6.5

Infinite loop in aggregation expression

A user authorized to perform database queries may trigger denial of service by issuing spe...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.5
3.6 affects versions prior to 3.6.10
3.4 affects versions prior to 3.4.19

Reference Link →
08/21/2020
CVE-2020-7923
6.5

Specific GeoQuery can cause DoS against MongoDB Server

A user authorized to perform database queries may cause denial of service by issuing speci...

Affects:

MongoDB Server

versions:

4.4 affects versions prior to 4.4.0-rc7
4.2 affects versions prior to 4.2.8
4.0 affects versions prior to 4.0.19

Reference Link →
05/13/2020
CVE-2019-2388
5.8

Potential exposure of log information in Ops Manager

In affected Ops Manager versions there is an exposed http route was that may allow attacke...

Affects:

Ops Manager

versions:

4.0.9
4.0.10
4.1.5

Reference Link →
05/06/2020
CVE-2020-7921
4.6

Administrative action may disable enforcement of per-user IP whitelisting

Improper serialization of internal state in the authorization subsystem in MongoDB Server'...

Affects:

MongoDB Server

versions:

4.2 affects versions prior to 4.2.3
4.0 affects versions prior to 4.0.15
3.6 affects versions prior to 3.6.18
4.3 affects versions prior to 4.3.3

Reference Link →
04/09/2020
CVE-2020-7922
6.4

Kubernetes Operator generates potentially insecure certificates

X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an at...

Affects:

MongoDB Enterprise Kubernetes Operator

versions:

1.0
1.1
1.2 affects 1.2.4 and prior versions
1.3 affects 1.3.1 and prior versions
1.4 affects 1.4.4 and prior versions

Reference Link →
03/31/2020
CVE-2019-2391
4.2

JS-bson may incorrectly serialise some requests

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BS...

Affects:

js-bson

versions:

1.0 affects 1.1.3 and prior versions

Reference Link →
08/30/2019
CVE-2019-2389
5.3

Process termination via PID file manipulation

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow ...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22

Reference Link →
08/30/2019
CVE-2019-2390
8.2

Code execution on Windows via OpenSSL engine injection

An unprivileged user or program on Microsoft Windows which can create OpenSSL configuratio...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.11
3.6 affects versions prior to 3.6.14
3.4 affects versions prior to 3.4.22

Reference Link →
08/06/2019
CVE-2019-2386
7.1

Authorization session conflation

After user deletion in MongoDB Server the improper invalidation of authorization sessions ...

Affects:

MongoDB Server

versions:

4.0 affects versions prior to 4.0.9
3.6 affects versions prior to 3.6.13
3.4 affects versions prior to 3.4.22

Reference Link →