Login Sign Up

CVE-2026-25609

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

This MongoDB vulnerability allows authenticated users to bypass intended read-only restrictions on the 'filter' parameter in profile commands, potentially modifying database behavior. It affects MongoDB servers with profile commands enabled, requiring attacker authentication.

💻 Affected Systems

Products:
  • MongoDB Server
Versions: Specific versions not provided in reference; check MongoDB advisory for affected versions
Operating Systems: All platforms running affected MongoDB versions
Default Config Vulnerable: ✅ No
Notes: Requires profile commands to be enabled and attacker to have authentication/authorization to use profile commands.

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attackers could manipulate database profiling filters to bypass security controls, potentially enabling data exfiltration or unauthorized access to restricted data.

🟠

Likely Case

Authenticated users with profile command access could alter profiling behavior to monitor or interfere with database operations they shouldn't have access to.

🟢

If Mitigated

With proper authentication controls and limited profile command access, impact is minimal as only authorized users could exploit this.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if MongoDB is exposed with weak credentials.
🏢 Internal Only: MEDIUM - Internal authenticated users could exploit to bypass intended restrictions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to MongoDB with profile command permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check MongoDB security advisory for specific fixed versions

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-112952

Restart Required: Yes

Instructions:

1. Check MongoDB security advisory for affected versions. 2. Upgrade to patched version. 3. Restart MongoDB service. 4. Verify fix with version check.

🔧 Temporary Workarounds

Disable Profile Commands

all

Disable database profiling if not required for operations

db.setProfilingLevel(0)

Restrict Profile Command Access

all

Limit which users/roles can execute profile commands

Use MongoDB role-based access control to restrict 'profile' command permissions

🧯 If You Can't Patch

  • Implement strict authentication and authorization controls for MongoDB access
  • Monitor and audit profile command usage for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version against affected versions in security advisory

Check Version:

db.version()

Verify Fix Applied:

Verify MongoDB version is updated to patched version and test profile command restrictions

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized or unexpected profile command usage
  • Profile filter modifications by unauthorized users

Network Indicators:

  • Profile command requests with filter modifications

SIEM Query:

source="mongodb" AND (command="profile" OR operation="profile") AND filter_modification=true

📊 Metadata

CVE ID: CVE-2026-25609
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
CWE: CWE-862
Published: February 10, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25609, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)