Description
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
Published: 2026-02-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via out‑of‑memory crash resulting in MongoDB server disablement
Action: Patch
AI Analysis

Impact

Complex queries can overwhelm the MongoDB Query Planner, causing excessive memory consumption and leading to an out‑of‑memory crash. The resulting failure shuts down the server, denying service to legitimate users. This vulnerability maps to the Exhaustive Resource Consumption weakness (CWE‑770).

Affected Systems

The flaw affects MongoDB Server from MongoDB Inc. No specific version bounds are provided, so all releases may be vulnerable until a vendor statement clarifies the scope. Users should consult the referenced JIRA issue for detailed guidance.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with query privileges; a crafted boolean expression can trigger the OOM crash, resulting in a denial of service. No publicly available exploits have been reported according to the current data.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to the latest release that addresses the query planner memory issue.
  • If upgrading is not possible, configure limits to reduce query complexity or disable overly complex boolean expressions where the database settings allow.
  • Monitor memory usage and set alerts for out‑of‑memory events; configure automatic service restarts to restore availability quickly.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
Title An authorized user may disable the MongoDB server by issuing a certain type of complex query due to boolean expression simplification
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-10T19:18:26.224Z

Reserved: 2026-02-03T18:21:53.785Z

Link: CVE-2026-1850

cve-icon Vulnrichment

Updated: 2026-02-10T19:18:21.848Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:15:51.633

Modified: 2026-02-25T17:11:10.953

Link: CVE-2026-1850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses