Description
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Published: 2026-03-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure of internal stack data
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with read-only privileges to exfiltrate uninitialized stack memory by issuing specially-crafted filemd5 commands. This flaw is a form of memory disclosure, enabling an attacker to glean internal state information that could contain sensitive details. The weakness is characterized by CWE‑457 and CWE‑908.

Affected Systems

MongoDB Server produced by MongoDB Inc is affected. The issue applies to releases starting with version 8.3.0 alpha0 through alpha3 and rc1, and to all other builds indicated by the general MongoDB product CPE. The vulnerability is documented in the MongoDB issue tracker as SERVER‑119317.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity impact, yet the EPSS score of under 1% suggests limited exploitation likelihood. The attacker must be authenticated with at least a read role to use the filemd5 command, so the vulnerability is not exploitable by anonymous users. The flaw is not listed in the CISA KEV catalog, implying no known widespread exploitation. Nevertheless, the potential for leaking internal data warrants prompt remediation.

Generated by OpenCVE AI on April 10, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official MongoDB patch addressing SERVER‑119317
  • Revoke or restrict read role privileges for users that do not require them
  • Limit usage of the filemd5 command in automated scripts or applications
  • Monitor system logs for anomalous filemd5 activity
  • Contact MongoDB support for guidance if the patch cannot be applied immediately

Generated by OpenCVE AI on April 10, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
Weaknesses CWE-908
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*
Vendors & Products Mongodb mongodb

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Title Stack memory disclosure in filemd5 command
Weaknesses CWE-457
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-17T16:09:55.480Z

Reserved: 2026-03-13T17:18:01.671Z

Link: CVE-2026-4147

cve-icon Vulnrichment

Updated: 2026-03-17T16:09:52.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T16:16:23.497

Modified: 2026-04-10T17:40:20.800

Link: CVE-2026-4147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:27Z

Weaknesses