Mongodb Security Vulnerabilities (CVEs)

An authenticated MongoDB user can crash the database server by executing a query that targets a collection with an invalid compound wildcard index. Th...

This MongoDB vulnerability allows authenticated users to bypass intended read-only restrictions on the 'filter' parameter in profile commands, potenti...

This vulnerability in MongoDB allows connections from proxy ports to bypass connection counting, potentially causing server crashes when connection li...

This vulnerability allows attackers to crash MongoDB servers by sending complex queries that trigger excessive memory usage in the query planner. All ...

This vulnerability allows unauthenticated clients to read uninitialized heap memory from MongoDB servers by exploiting mismatched length fields in Zli...

A post-authentication flaw in MongoDB's two-phase commit protocol for cross-shard transactions can cause logical data inconsistencies under specific, ...

A privilege escalation vulnerability in MongoDB Server allows users with limited privileges to terminate queries executed by other users, causing deni...

MongoDB Server may crash due to an invariant failure during batched delete operations when handling documents. The server incorrectly assumes multiple...

This vulnerability in MongoDB Server allows oversized BSON documents to bypass initial size validation in time series processing, causing an assertion...

This CVE describes a TLS certificate validation bypass vulnerability in MongoDB servers. On Windows and Apple systems, MongoDB may accept client certi...

This vulnerability in MongoDB C driver allows reading invalid memory when large options are passed to mongoc_bulk_operation_t functions. This affects ...

MongoDB's KMIP response parser accepts malformed packets that create invalid objects, causing read access violations when accessed. This affects Mongo...

This vulnerability in MongoDB Rust Driver disables TLS certificate validation when tlsInsecure=False appears in connection strings, allowing man-in-th...

An authorized MongoDB user can cause a denial of service by sending specially crafted $group queries with certain accumulator functions. This vulnerab...

An improper handling of the lsid field in sharded queries can cause MongoDB routers to crash when this field is provided in contexts where it's not ap...

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, causing an invariant failure and server c...

An authorized MongoDB user can cause a server crash by issuing queries containing duplicate _id fields, leading to denial of service. This affects Mon...

This vulnerability allows unauthorized users to bypass MongoDB's authorization controls by exploiting a flaw in the $mergeCursors aggregation pipeline...

MongoDB Server versions 8.0 prior to 8.0.10 have a memory management vulnerability where certain internal operations can cause excessive memory consum...

An authenticated MongoDB user can trigger a use-after-free vulnerability by executing specific aggregation pipeline operations, causing server crashes...

MongoDB Server is vulnerable to denial of service when processing specific date values in JSON input during OIDC authentication. An attacker can crash...

This vulnerability allows improper authentication in MongoDB servers when TLS with CRL revocation checking is enabled on Linux systems. It affects Mon...

A vulnerability in MongoDB's mongos query router allows unauthenticated attackers to send specially crafted wire protocol messages that cause the serv...

A buffer overflow vulnerability in MongoDB's C driver library (libbson) allows attackers to cause segmentation faults and application crashes by creat...

MongoDB Compass versions before 1.42.1 are vulnerable to local privilege escalation when a malicious file is placed in the C:\node_modules\ directory....

MongoDB Shell (mongosh) versions before 2.3.0 are vulnerable to local privilege escalation when a malicious file is placed in C:\node_modules\. This a...

This CVE describes a control character injection vulnerability in MongoDB Shell (mongosh) where an attacker controlling a MongoDB cluster can craft ma...

This vulnerability allows attackers to inject malicious code into MongoDB Shell (mongosh) through clipboard manipulation. An attacker controlling the ...

An authenticated MongoDB user can cause server crashes or read unauthorized memory contents by sending specially crafted requests with malformed BSON....

MongoDB Server v6.0.3 contains a memory access vulnerability in internal aggregation stage processing when zero arguments are called. This could lead ...

This vulnerability allows an attacker with host-level access on Linux systems to manipulate MongoDB server startup to load malicious shared libraries,...

The bson_strfreev function in MongoDB's C driver library contains an integer overflow vulnerability that can cause memory corruption when freeing memo...

MongoDB Compass versions before 1.42.2 have insufficient sandbox protection in the ejson shell parser used for connection handling, allowing potential...

CVE-2024-3372 is an improper input validation vulnerability in MongoDB Server that allows pre-authentication attackers to send malformed metadata caus...

This vulnerability allows authenticated MongoDB users to bypass IP whitelisting protection after administrative actions like role modifications. It af...

A vulnerability in MongoDB's js-bson library versions 1.1.3 and earlier allows incorrect parsing of certain JSON inputs, leading to improper BSON seri...

This MongoDB vulnerability allows authenticated users to maintain authorization sessions after their accounts are deleted, potentially gaining access ...