CVE-2026-25613 – An authenticated MongoDB user can crash the dat... (How to Fix)

Q: What is the severity of CVE-2026-25613?

CVE-2026-25613 has a CVSS score of 6.5 (MEDIUM). An authenticated MongoDB user can crash the database server by executing a query that targets a collection with an invalid compound wildcard index. This affects MongoDB deployments where users have query permissions and collections contain malformed compound wildcard indexes.

📋 TL;DR

An authenticated MongoDB user can crash the database server by executing a query that targets a collection with an invalid compound wildcard index. This affects MongoDB deployments where users have query permissions and collections contain malformed compound wildcard indexes.

💻 Affected Systems

Products:

MongoDB

Versions: Specific versions not provided in reference, but based on CVE-2026-25613 pattern, likely affects recent MongoDB versions prior to patch.

Operating Systems: All platforms running MongoDB

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires: 1) Authenticated user with query permissions, 2) Collection with invalid compound wildcard index, 3) Query targeting that collection.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete MongoDB server crash leading to denial of service, data unavailability, and potential data corruption if crashes occur during write operations.

🟠

Likely Case

Temporary service disruption as the MongoDB server crashes and requires restart, causing application downtime until recovery.

🟢

If Mitigated

Minimal impact with proper access controls limiting query permissions and monitoring for suspicious queries.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but internet-facing MongoDB instances with user accounts are vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal users with query permissions could accidentally or intentionally trigger the crash.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple query execution by authenticated user.

Exploitation requires knowledge of collections with invalid compound wildcard indexes and user authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check MongoDB security advisory for specific patched versions

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-113685

Restart Required: Yes

Instructions:

1. Check MongoDB version with 'mongod --version'. 2. Update to latest patched version via MongoDB's official update channels. 3. Restart MongoDB service after update.

🔧 Temporary Workarounds

Remove invalid compound wildcard indexes

all

Identify and drop any invalid compound wildcard indexes from collections

db.collection.getIndexes()
db.collection.dropIndex('index_name')

Restrict query permissions

all

Implement principle of least privilege by limiting query permissions to trusted users only

db.revokeRolesFromUser('username', ['readWrite'])
db.grantRolesToUser('username', ['read'])
db.createRole({role: 'restricted', privileges: [], roles: []})

🧯 If You Can't Patch

Implement strict access controls to limit which users can execute queries
Monitor for and remove any invalid compound wildcard indexes from collections

🔍 How to Verify

Check if Vulnerable:

Check if MongoDB version is affected and if collections contain compound wildcard indexes: db.collection.getIndexes()

Check Version:

mongod --version

Verify Fix Applied:

Verify MongoDB version is updated to patched version and test query execution against collections with compound wildcard indexes

📡 Detection & Monitoring

Log Indicators:

MongoDB crash logs
Unexpected server termination messages
Query errors related to wildcard indexes

Network Indicators:

Sudden drop in MongoDB connections
Application errors indicating database unavailability

SIEM Query:

source="mongodb.log" AND ("assertion" OR "Fatal" OR "terminating")

📊 Metadata

CVE ID: CVE-2026-25613

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-704

Published: February 10, 2026

Last Updated: February 25, 2026

🔗 References

https://jira.mongodb.org/browse/SERVER-113685 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25613, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mongodb by Mongodb

Mongodb by Mongodb

Mongodb by Mongodb

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove invalid compound wildcard indexes

Restrict query permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities