Description
Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.
Published: 2026-02-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Connections received that come through the proxy port are not tracked toward the server’s total accepted connection count, which can cause MongoDB Server to exceed its resource limits and crash. The flaw is a Resource Exhaustion issue, classified as CWE-770, where an attacker can force the server to consume more memory or file handles than it is configured to handle.

Affected Systems

MongoDB Inc’s MongoDB Server is affected. The vulnerability applies to any installation that accepts connections via the proxy port and processes the proxy protocol header. Exact software versions are not listed, so all currently supported MongoDB Server releases that enable proxy handling may be impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity, but the EPSS score is under 1%, suggesting that known exploit activity is currently very low. It is not listed in the CISA KEV catalog. The likely attack vector involves an attacker opening a large number of connections through the proxy port, using the proxy protocol header to mask traffic, thereby causing the server to ignore these connections in its accounting and eventually exhaust available resources, leading to a crash. Because the vulnerability requires only proxy connections, it does not need privileged credentials and can be executed remotely from outside the server over the network.

Generated by OpenCVE AI on April 17, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MongoDB Server to the latest release that resolves SERVER-114695.
  • Disable or properly configure the proxy port so that proxy protocol headers are validated and counted; if the proxy port is not required, consider closing the port or limiting its use.
  • Set a tighter limit on concurrent connections with the maxIncomingConnections setting or other relevant configuration limits to protect against resource exhaustion.

Generated by OpenCVE AI on April 17, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol header.
Title Connections received from the proxy port may not count towards total accepted connections
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-11T15:17:01.970Z

Reserved: 2026-02-03T18:21:51.892Z

Link: CVE-2026-1848

cve-icon Vulnrichment

Updated: 2026-02-11T15:16:57.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:51.333

Modified: 2026-02-25T17:20:29.207

Link: CVE-2026-1848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses