—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in MongoDB

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

MongoDB Server versions 8.2 through 8.2.4

MongoDB Server versions 8.0 through 8.0.18

MongoDB Server versions 7.0 through 7.0.29

MongoDB Ruby Driver versions 7.0.0 through 7.6.1

MongoDB Ruby Driver versions 8.0.0 through 8.0.12

MongoDB Ruby Driver versions 8.1.0 through 8.1.12

MongoDB Ruby Driver versions 9.0.0 through 9.0.10

MongoDB Go Driver versions prior to 1.17.7

MongoDB Go Driver versions prior to 2.4.2

Overview

Multiple vulnerabilities have been reported in MongoDB which could allow an attacker to execute arbitrary code, obtain sensitive information, cause unauthorized configuration changes, or cause denial of service condition on the targeted system.

Target Audience:

All end-user organizations and individuals using MongoDB.

Risk Assessment:

High risk of remote code execution, sensitive information disclosure, unauthorized configuration changes, and denial of service condition.

Impact Assessment:

Potential for arbitrary code execution, data theft, service disruption, unauthorized modification of configuration settings, and system instability.

Description

MongoDB is a document-based database that stores information in flexible, JSON-like documents rather than traditional tables and rows, making it well suited for handling large or evolving data structures.

Multiple vulnerabilities exist in MongoDB due to improper handling of memory allocation, internal resource identifier collisions, improper handling of large documents into a replica set, improper connection counting mechanisms, improper input validation, unsafe casting, insufficient validation of commands, and unsafe reflection in components. An attacker could exploit these vulnerabilities by sending specially crafted requests.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, obtain sensitive information, cause unauthorized configuration changes, or cause denial of service condition on the targeted system.

Solution

Apply the security updates released by MongoDB:

https://www.mongodb.com/resources/products/alerts#security

Vendor Information

MongoDB

https://www.mongodb.com/resources/products/alerts#security

References

MongoDB

https://www.mongodb.com/resources/products/alerts#security

CVE Name

CVE-2026-2302

CVE-2026-2303

CVE-2026-25613

CVE-2026-1849

CVE-2026-1850

CVE-2026-25609

CVE-2026-25610

CVE-2026-1847

CVE-2026-1848

CVE-2026-25611

CVE-2026-25612

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmPQZoACgkQ3jCgcSdc

ys/8uQ//TaRcqn0nnQ2yB4vrWNH9AIkbrl6LdijLReUie94GVz8/U+RPb3p91Z32

xEBVR0spgyLeeuG080j352tJ4wJwDN8B9yTi7pVOUiDkuY0ERWDZRlx3/nwoPwgc

I/FqqOQZuDMh+O4RCl+8VDYQn4FiLTTmCeU3LXXyixD+Uh3yoUCrqACRujSGqVpO

SbdO8m6RMEt00pFyl66wexpze8AehX/IliV2SdNXIyIHxIO+ECxgH1Cy8nQgDjXO

cCY3E9LQX8VwNt79jvc9q2Xsil7Nb77qIbJJHGW7BhpLdcqliGC95wnKxr67hQY1

B7fQsr06SMuVWflf+hQEcnyqUwbnP0dIYPWVh7xG2GKOO4OR4+gE1qk/PxKeeJym

8Wt+8Bmx13gksGxBo5AUE2h1XO58o7OkAYaWeGRQ76IjnLfUs7NijX58vD5cC43E

PG4DfNhMAxGGAXytaLSEKhE8sEKy2mRbXoiGmBI6E0O0j2O+D/PZVyeZ3jVGp5Rh

Wv15Y33XboEAi44RZZQ0+sodEvxctiqG502bd80YQgknfOTfcDS4hN7682JJVT/9

ruZzBmrKCZyQ606pyEUeafjNVZjReCIpSUbiYGRpdJc2JOVN7ARYz8sLpJG0CnLl

JmIR78QUTIUJ7Xi4CKlWqlzFP8MF6M5MjnKQH7RRoox0AwXNC84=

=OvIT

—–END PGP SIGNATURE—–