Description
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.

This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
Published: 2026-03-30
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (primary crash)
Action: Patch
AI Analysis

Impact

A user with limited cluster privileges can trigger a crash of a mongod process during the brief, unpredictable window that occurs while a replica set is promoted to a sharded cluster. This vulnerability, identified as CWE‑617, results in the loss of the primary node and causes a denial of service against the affected database. The impact is limited to availability; confidentiality and integrity are not directly affected.

Affected Systems

MongoDB Server is affected in the following versions: all v8.2 releases before 8.2.2, v8.0 releases from 8.0.18 onward, and v7.0 releases starting with 7.0.31. Users running any of these versions during a promotion operation are at risk.

Risk and Exploitability

The CVSS score of 6.0 indicates moderate severity, while the EPSS score of less than 1% shows that the likelihood of real‑world exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have at least a limited set of privilege actions within the cluster and to act during the narrow promotion window, making the attack surface relatively constrained. Nevertheless, if exploited, the attacker can cause a temporary outage of the primary node and disrupt cluster operations.

Generated by OpenCVE AI on April 2, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to a non‑affected version (v8.2.2 or later, v8.0.19 or later, or v7.0.31 or later).
  • If an immediate upgrade is not possible, restrict users from performing promotion to sharded cluster operations or schedule promotions during periods of low activity to reduce the attack window.

Generated by OpenCVE AI on April 2, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Vendors & Products Mongodb mongodb

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
Title Users could trigger a crash of mongod primaries during promotion to sharded
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-30T16:02:37.318Z

Reserved: 2026-03-30T15:16:59.378Z

Link: CVE-2026-5170

cve-icon Vulnrichment

Updated: 2026-03-30T16:02:32.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T16:16:10.610

Modified: 2026-04-02T17:18:58.177

Link: CVE-2026-5170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:14Z

Weaknesses