Description
Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.
This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32
Published: 2026-04-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the MongoDB server computes an MD5 checksum of a malformed BSON object under specific conditions, leading to a loss of availability. This flaw is an integer overflow attack (CWE‑191) that can result in a denial of service once triggered. The likely attack vector is the injection of a carefully crafted BSON document, which an adversary could supply either via a local interface or over the network if the server accepts externally submitted data.

Affected Systems

Affected are MongoDB Server versions 8.2, 8.1, all 8.0 releases before 8.0.21, and all 7.0 releases before 7.0.32. The vulnerability exists in the MongoDB Server product supplied by MongoDB.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity of availability impact. EPSS is not available, so the probability of exploitation cannot be quantified, and the vulnerability is not listed in CISA's KEV catalog. Because the flaw manifests during checksum calculation, an attacker who can direct malformed BSON to the server can trigger a denial of service, potentially affecting multiple users or services that rely on the availability of the database.

Generated by OpenCVE AI on April 29, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB to version 8.0.21 or later, or 8.1 or 8.2, and to 7.0.32 or later for affected releases
  • If an upgrade is not immediately possible, restrict or sanitize any incoming BSON data and avoid sending malformed documents to the database
  • Monitor server logs for checksum failures or shutdown events and apply maintenance or performance monitoring to mitigate service disruption

Generated by OpenCVE AI on April 29, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Vendors & Products Mongodb mongodb

Wed, 29 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32
Title MD5 checksum creation may cause availability loss
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-04-29T17:49:48.034Z

Reserved: 2026-04-23T14:59:45.727Z

Link: CVE-2026-6914

cve-icon Vulnrichment

Updated: 2026-04-29T17:49:42.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T17:16:41.230

Modified: 2026-05-06T20:11:08.547

Link: CVE-2026-6914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:30:20Z

Weaknesses