Description
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Published: 2026-03-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

CVE-2026-4147 describes an information disclosure vulnerability in MongoDB Server’s filemd5 command. An authenticated user possessing the read role can issue specially crafted filemd5 commands that cause the server to read portions of uninitialized stack memory. This flaw results in the unintended leakage of data that resides on the stack at the time of the command’s execution, such as passwords, cryptographic keys, or other sensitive information. The weakness is identified as CWE-457, Uninitialized Variable.

Affected Systems

Affected systems are MongoDB Inc: MongoDB Server installations that provide the filemd5 command to users with a read role. No specific versions are listed in the CNA data, so the exact impacted versions are unknown; any system that implements the filemd5 operation remains potentially vulnerable until confirmed patches are applied.

Risk and Exploitability

The CVSS base score of 7.1 indicates moderate to high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The attack requires legitimate read‑role authentication, implying an insider or compromised account could leverage the flaw. Because no official fix or workaround is disclosed, the risk is mitigated primarily through applying vendor updates when they become available or limiting the read role’s ability to invoke filemd5.

Generated by OpenCVE AI on March 17, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check MongoDB’s official security advisories for an update that addresses CVE-2026-4147.
  • Apply any available patch or upgrade MongoDB Server to the latest supported version.
  • If a patch is not yet released, restrict or disable the filemd5 command for users with the read role or remove the read role from accounts that do not require it.
  • Review audit logs for unexpected usage of the filemd5 command and monitor for memory read anomalies.
  • Maintain current backups and ensure proper key management practices to protect sensitive data that could be exposed.

Generated by OpenCVE AI on March 17, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
Title Stack memory disclosure in filemd5 command
Weaknesses CWE-457
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-17T16:09:55.480Z

Reserved: 2026-03-13T17:18:01.671Z

Link: CVE-2026-4147

cve-icon Vulnrichment

Updated: 2026-03-17T16:09:52.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T16:16:23.497

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-4147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:10Z

Weaknesses