Description
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.

This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
Published: 2026-03-30
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service from mongod crash during sharded promotion
Action: Patch Now
AI Analysis

Impact

A privileged user with a limited set of cluster actions can trigger a crash of the mongod primary when a replica set is being promoted to a sharded cluster. The crash causes the primary to fail, resulting in a denial of service that interrupts cluster availability. The flaw is a crash bug classified under CWE‑617.

Affected Systems

MongoDB Server versions 8.2 prior to 8.2.2, 8.0 up to 8.0.18, and 7.0 up to 7.0.31 are impacted. Any deployment that performs a replica set to sharded cluster promotion using these releases is at risk.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity level. Exploitation requires the attacker to be authenticated and to act during the narrow window when the cluster is undergoing promotion, which reduces the likelihood of successful attacks. No known large‑scale exploitation has been reported, and the vulnerability is not listed in the known‑exploited catalog, but the potential for service disruption warrants prompt action.

Generated by OpenCVE AI on March 30, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to 8.2.2 or later, to 8.0.18 or later, or to 7.0.31 or later.
  • If an immediate upgrade is not possible, avoid promoting a replica set to a sharded cluster until the vulnerability is resolved.
  • Ensure the cluster is not in promotion mode before making topology changes.
  • Monitor for unexpected mongod crashes and set up alerts or automatic restarts.
  • Maintain recent backups of data before altering cluster configuration.

Generated by OpenCVE AI on March 30, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
Title Users could trigger a crash of mongod primaries during promotion to sharded
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-30T16:02:37.318Z

Reserved: 2026-03-30T15:16:59.378Z

Link: CVE-2026-5170

cve-icon Vulnrichment

Updated: 2026-03-30T16:02:32.808Z

cve-icon NVD

Status : Received

Published: 2026-03-30T16:16:10.610

Modified: 2026-03-30T16:16:10.610

Link: CVE-2026-5170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:35Z

Weaknesses