CVE-2026-5170
MEDIUMUsers could trigger a crash of mongod primaries during promotion to sharded
Title source: cnaDescription
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://jira.mongodb.org/browse/SERVER-101758
Scores
CVSS v3
5.3
EPSS
0.0020
EPSS Percentile
10.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-617
Status
published
Products (4)
mongodb/mongodb
7.0.0 - 7.0.31
MongoDB/MongoDB Server
7.0 - 7.0.31
MongoDB/MongoDB Server
8.0 - 8.0.18
MongoDB/MongoDB Server
8.2 - 8.2.2
Published
Mar 30, 2026
Tracked Since
Mar 30, 2026