Description
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
Published: 2026-02-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Server Crash)
Action: Patch Immediately
AI Analysis

Impact

An unsafe cast in MongoDB's query planner causes a segmentation fault when a query targets a collection that has an invalid compound wildcard index. The resulting crash terminates the server process, denying service to all clients. This error falls under CWE‑704, a type conversion error, and is triggered only when the database receives a query from an authenticated user.

Affected Systems

MongoDB Server by MongoDB Inc. The CVE does not specify affected version numbers, so any deployment that supports the vulnerable query planner code is potentially impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating high impact, but an EPSS score of less than 1% shows a low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers must be authorized to run queries against a collection with an invalid compound wildcard index, so the attack surface is limited to insider or credential‑compromise scenarios. Once exploited, the server crashes, leading to downtime until it is restarted or patched.

Generated by OpenCVE AI on April 17, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB Server release that resolves the unsafe cast and protects against segmentation faults (consult the vendor’s advisories for the specific patched version).
  • If a patch cannot be applied immediately, restrict or revoke the privileges of users who can create or query compound wildcard indexes to reduce the attack surface.
  • Remove or reorganize existing compound wildcard indexes that are invalid or unnecessary to prevent triggering the crash.

Generated by OpenCVE AI on April 17, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
Title An unsafe cast in the MongoDB query planner can result in a segmentation fault.
Weaknesses CWE-704
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-10T19:15:20.731Z

Reserved: 2026-02-03T18:21:58.986Z

Link: CVE-2026-25613

cve-icon Vulnrichment

Updated: 2026-02-10T19:14:04.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T19:16:04.267

Modified: 2026-02-25T16:45:10.213

Link: CVE-2026-25613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses