Description
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an authenticated user having the read role to retrieve portions of uninitialized stack memory when issuing specially crafted filemd5 commands. This results in a leakage of potentially sensitive information from the process memory, violating confidentiality. The weakness is an uninitialized variable issue, classified as CWE-457.

Affected Systems

MongoDB database systems that provide the filemd5 command are affected. No specific version range is supplied, so any deployment that supports this command and has not applied an official fix is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. Because the attack requires authentication with read privileges, the opportunity is limited to insiders or compromised accounts; an external attacker must first gain authorized access. The EPSS score is not available and the flaw is not listed in CISA KEV, implying no publicly known exploits as of now. Nonetheless, the information disclosure remains a concern for organizations that need to protect their database memory contents.

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB update that contains the fix for the forced uninitialized memory read in filemd5
  • Reduce privileges: remove the read role from users who do not need it or change it to a role that explicitly disallows filemd5 execution
  • Disable or restrict the filemd5 command for non‑trusted users so that only privileged accounts can invoke it
  • Monitor database logs for anomalous filemd5 activity and consider blocking or alerting on unexpected executions

Generated by OpenCVE AI on June 10, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command
Title Stack memory disclosure in filemd5 command
Weaknesses CWE-457
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:33:21.203Z

Reserved: 2026-05-27T17:49:33.907Z

Link: CVE-2026-9754

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:05.023

Modified: 2026-06-09T23:17:05.023

Link: CVE-2026-9754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses