CVE-2026-4147

MEDIUM

MongoDB Server < 8.2.6 - Stack Memory Disclosure via filemd5

Title source: manual

Description

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

References (1)

https://jira.mongodb.org/browse/SERVER-119317

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 11.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-457 CWE-908

Status published

Products (5)

mongodb/mongodb 8.3.0 alpha0 (5 CPE variants)

mongodb/mongodb 7.0.0 - 7.0.31

MongoDB Inc/MongoDB Server 7.0 - 7.0.31

MongoDB Inc/MongoDB Server 8.0 - 8.0.20

MongoDB Inc/MongoDB Server 8.2 - 8.2.6

Published Mar 17, 2026

Tracked Since Mar 17, 2026