Description
A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
Published: 2026-02-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Assess
AI Analysis

Impact

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server, resulting in a denial of service. The vulnerability requires no authentication and can be triggered over the network.

Affected Systems

MongoDB Server from MongoDB Inc. is affected; no specific version numbers are indicated, so any instance lacking the fix is potentially vulnerable.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. The EPSS score is below 1%, so exploitation likelihood is low. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote unauthenticated network traffic, where an attacker sends crafted packets to the MongoDB port to trigger memory exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or update that addresses this memory exhaustion issue to MongoDB Server.
  • Limit inbound connections to the MongoDB port to trusted hosts or networks and consider rate‑limiting traffic before it reaches the database server.
  • Monitor memory usage of the MongoDB process and set alerts for abnormal increases or process crashes to detect exploitation attempts early.

Generated by OpenCVE AI on April 18, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
Title Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server
Weaknesses CWE-405
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-11T15:21:16.207Z

Reserved: 2026-02-03T18:21:58.986Z

Link: CVE-2026-25611

cve-icon Vulnrichment

Updated: 2026-02-11T15:21:04.099Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T18:16:37.450

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses