Users could trigger a crash of mongod primaries during promotion...

6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.

This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.

Basic Information

ID CVE-2026-5170

Source mongodb

Published Mar 30, 2026 at 15:28

Modified Mar 30, 2026 at 16:02

Affected Product

Vendor MongoDB

Product MongoDB Server

Version 8.2

Affected Versions MongoDB MongoDB Server 8.2
MongoDB MongoDB Server 8.0
MongoDB MongoDB Server 7.0

CWE Classification

CWE-617

References

jira.mongodb.org /browse/SERVER-101758

{
    "lastseen": "",
    "description": "A user with access to the cluster with a limited set of privilege actions can trigger a crash of a\u00a0mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.\n\nThis issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.",
    "published": "2026-03-30T15:28:57.572Z",
    "modified": "2026-03-30T16:02:37.318Z",
    "type": "cve",
    "title": "Users could trigger a crash of mongod primaries during promotion to sharded",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-101758",
    "id": "CVE-2026-5170",
    "bulletinFamily": "",
    "cwe": [
        "CWE-617"
    ],
    "cvelist": null,
    "sourceData": "MongoDB MongoDB Server 8.2\nMongoDB MongoDB Server 8.0\nMongoDB MongoDB Server 7.0",
    "sourceHref": "",
    "cvss": {
        "score": 6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "8.2",
    "vendor": "MongoDB",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Users could trigger a crash of mongod primaries during promotion to sharded_CVE-2026-5170