—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in MongoDB Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

8.2.0 affects versions prior to 8.2.7

8.1.0 affects 8.1.* and prior versions

8.0.0 affects versions prior to 8.0.21

7.0.0 affects versions prior to 7.0.32

Overview

Multiple vulnerabilities have been reported in MongoDB, which could allow an attacker to cause Denial of Service (DoS) conditions and perform limited unauthorized modifications to authentication related data on the targeted system.

Target Audience:

All end-user organizations and individuals using MongoDB.

Risk Assessment:

High risk of unauthorized access to sensitive information.

Impact Assessment:

Potential for denial of service and information disclosure.

Description

MongoDB is a document-based database that stores information in flexible, JSON-like documents rather than traditional tables and rows, making it well suited for handling large or evolving data structures.

Multiple vulnerabilities exist in MongoDB due to improper handling while computing the MD5 checksum of a malformed BSON object under specific conditions and an authorization flaw in the user management command.

Successful exploitation of these vulnerabilities could allow an attacker to cause Denial of Service (DoS) conditions and make limited unauthorized changes to authentication related data associated with another user account on the targeted system.

Solution

Apply appropriate fixes issued by the vendor:

https://www.mongodb.com/resources/products/alerts#security

Vendor Information

MongoDB

https://www.mongodb.com/resources/products/alerts#security

References

MongoDB

https://jira.mongodb.org/browse/SERVER-119679

https://jira.mongodb.org/browse/SERVER-119981

CVE Name

CVE-2026-6914

CVE-2026-6915

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoF4XEACgkQ3jCgcSdc

ys+8WA//U6KWKSZYCiMn0xX8PQVOxgK/mr0Gvdtge6B/HhGCTbX5St83ETFRHywL

T/8A5d8yiFraC/GZRabwex8yatApgSxd8oZ9jTOAEAh4MrZi8DNZ7JaHF2DmYBaB

rV7Fc7TtVD7QGRm2nXYVSvjx534giy/MYFP6w3Tq5IdInsFaocwbG61u56VPFI4S

DKzzHUtwLtxa3I1Nu72MQO2OfMg450ycLGxxw5VPcOv4W/R2QCLpTaGZUxR74D6x

85Va5xaAawAN13gFHOFmXCl7aXh9u5okmuGXkY+MKYoRoMQqcSewO6lRWFrWjj9w

vJWajVHjNS+5vkia8jhYbUDCJRac7msZ4s5HkK6Z0HC6ZTI7Jlilpyfm2Ygvy9MN

4NIW67quJy5iT1YjjMF6nYW+DhO+ThMYpW9i1nLYAo2FxuX5DTAXfpBr4qD4PdyE

GYezQgt7p0f/YgaSwQwxwPv/NOf0zrPa7KdfJqZf9UXWd8rxSfUo0ykZg6ZsXd7W

qfILRduFJaH61BURfU/hzHg2Cm/1hzKQdgB6pJ4cE3BLAk0lMFWwf9NcU1WqL9q0

QYrDq2PbYmF5Kkpbatnd4C6m8Q8uB6TYy7r6nZGf6c8WZqp5ozopWPTPuvSCu01d

GhPmW8RAsUu3OkC1tlFDCHBwg5Zb/HB2peRCW7HKc8/ZyyrK5ZU=

=rHJl

—–END PGP SIGNATURE—–