SB2026021331 - Multiple vulnerabilities in MongoDB Server
Published: February 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2026-1847)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can insert certain large documents into a replica set causing the replica set secondaries not being able to fetch the oplog from the primary, which stalls replication inside the replica set leading to server crash.
2) Resource exhaustion (CVE-ID: CVE-2026-1848)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to connections received from the proxy port are not count towards total accepted connections. A remote attacker can initiate multiple connections to the database and perform a denial of service attack.
3) Uncontrolled recursion (CVE-ID: CVE-2026-1849)
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to resource exhaustion while evaluating expressions that produce deeply nested documents. A remote user can force the server to consume all available memory resources and perform a denial of service attack.
4) Resource exhaustion (CVE-ID: CVE-2026-1850)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing complex queries. A remote user can trigger memory exhaustion and perform a denial of service (DoS) attack.
5) Missing authorization (CVE-ID: CVE-2026-25609)
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to incorrect validation of the profile command. A remote user can read information from the database using "filter" command without necessary permissions.
6) Reachable assertion (CVE-ID: CVE-2026-25610)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion. A remote user can run a $geoNear pipeline with certain invalid index hints to perform a denial of service attack.
7) Asymmetric resource consumption (CVE-ID: CVE-2026-25611)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to incorrect handling of ingress requests. A remote attacker can send a series of specially crafted unauthenticated messages and consume all available memory resources.
8) Resource exhaustion (CVE-ID: CVE-2026-25612)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to the Lock Manager does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Type conversion (CVE-ID: CVE-2026-25613)
The vulnerability allows a remote user to perform a denial of service attack.
the vulnerability exists due to a type conversion error when handling certain queries. A remote user can run a query against a collection that contains an invalid compound wildcard index and perform a denial of service attack.
Remediation
Install update from vendor's website.
References
- https://jira.mongodb.org/browse/SERVER-113532
- https://jira.mongodb.org/browse/SERVER-114695
- https://jira.mongodb.org/browse/SERVER-102364
- https://jira.mongodb.org/browse/SERVER-114126
- https://jira.mongodb.org/browse/SERVER-112952
- https://jira.mongodb.org/browse/SERVER-99119
- https://jira.mongodb.org/browse/SERVER-116210
- https://jira.mongodb.org/browse/SERVER-114838
- https://jira.mongodb.org/browse/SERVER-113685