Description
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
Published: 2026-02-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Server Crash
Action: Patch
AI Analysis

Impact

An authorized user can invoke a server crash by supplying a $geoNear aggregation pipeline that includes an invalid index hint. This flaw does not directly leak data or allow code execution; instead it disrupts the availability of the MongoDB instance by causing an unhandled exception during index processing. The underlying weakness maps to CWE‑617, where a function’s return value or error state is ignored, allowing the system to continue operating in an inconsistent state.

Affected Systems

This issue affects MongoDB Server as distributed by MongoDB Inc. The vulnerability is applicable to all current releases in which custom $geoNear index hints are permitted; specific affected versions are not enumerated, so all supported MongoDB Server versions should be considered potentially vulnerable until a patch is released.

Risk and Exploitability

The CVSS base score is 7.1, indicating a medium‑to‑high severity vulnerability. EPSS indicates a exploitation probability of less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need authorized access to run the problematic pipeline, so an insider or compromised admin account is sufficient. The flaw can be exploited by executing a small aggregating query, but no remote code execution or privilege escalation is required. Systems with high uptime requirements should prioritize remediation.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB Server release that resolves the $geoNear index hint validation flaw.
  • If immediate upgrade is not feasible, eliminate the use of custom index hints in $geoNear pipelines until the issue is fixed.
  • Restrict $geoNear operations to trusted users by applying role‑based access controls or using a whitelist of allowed index hints.
  • Monitor server logs for unhandled exceptions related to aggregation pipelines and alert administrators when such events occur.

Generated by OpenCVE AI on April 17, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
Title Invalid $geoNear index hint may cause server crash
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-10T20:29:51.688Z

Reserved: 2026-02-03T18:21:58.985Z

Link: CVE-2026-25610

cve-icon Vulnrichment

Updated: 2026-02-10T20:29:42.714Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:16:04.037

Modified: 2026-02-25T16:46:13.320

Link: CVE-2026-25610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses