Description
Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
Published: 2026-02-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change via the profile command
Action: Patch Now
AI Analysis

Impact

An improper check of the profile command causes a request that modifies the filter to be treated as read‑only. This allows an attacker to change configuration settings that should otherwise be protected, potentially leading to unauthorized configuration changes or privilege escalation within the MongoDB instance.

Affected Systems

The vulnerability affects MongoDB Server from MongoDB Inc. No specific versions are listed, so all releases of MongoDB Server may be impacted until a fix is deployed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the very low EPSS score (<1%) suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires the ability to issue commands against the database, so an authenticated or remotely compromised client that can send profile commands could exploit this flaw to alter filter settings. No additional exploitation conditions are indicated beyond this inferred command‑execution capability.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to the latest release that contains the fix for the profile command validation bug.
  • Restrict or disable the profile command for non‑privileged roles using role‑based access control to limit its use to trusted administrators.
  • Monitor database logs for unexpected profile or filter changes to detect potential abuse and respond promptly.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
Title profile command may permit unauthorized configuration
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-10T19:52:07.572Z

Reserved: 2026-02-03T18:21:58.985Z

Link: CVE-2026-25609

cve-icon Vulnrichment

Updated: 2026-02-10T19:52:03.552Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:16:03.877

Modified: 2026-02-25T16:54:40.037

Link: CVE-2026-25609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses