{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5170", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2026-03-30T15:16:59.378Z", "datePublished": "2026-03-30T15:28:57.572Z", "dateUpdated": "2026-03-30T16:02:37.318Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB", "versions": [{"lessThan": "8.2.2", "status": "affected", "version": "8.2", "versionType": "custom"}, {"lessThan": "8.0.18", "status": "affected", "version": "8.0", "versionType": "custom"}, {"lessThan": "7.0.31", "status": "affected", "version": "7.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<b><p></p></b><b><p></p></b><p><span style=\"background-color: transparent;\">A user with access to the cluster with a limited set of privilege actions can trigger a crash of a&nbsp;</span>mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.</p><p><span style=\"background-color: transparent;\">This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.</span></p><br><br><br>"}], "value": "A user with access to the cluster with a limited set of privilege actions can trigger a crash of a\u00a0mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.\n\nThis issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "CWE-617: Reachable Assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-03-30T15:28:57.572Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://jira.mongodb.org/browse/SERVER-101758"}], "source": {"discovery": "INTERNAL"}, "title": "Users could trigger a crash of mongod primaries during promotion to sharded", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T16:02:15.631116Z", "id": "CVE-2026-5170", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T16:02:37.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5170", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T16:02:15.631116Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T16:02:32.808Z"}}], "cna": {"title": "Users could trigger a crash of mongod primaries during promotion to sharded", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2.2", "versionType": "custom"}, {"status": "affected", "version": "8.0", "lessThan": "8.0.18", "versionType": "custom"}, {"status": "affected", "version": "7.0", "lessThan": "7.0.31", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-101758", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A user with access to the cluster with a limited set of privilege actions can trigger a crash of a\u00a0mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.\n\nThis issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.", "supportingMedia": [{"type": "text/html", "value": "<b><p></p></b><b><p></p></b><p><span style=\"background-color: transparent;\">A user with access to the cluster with a limited set of privilege actions can trigger a crash of a&nbsp;</span>mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.</p><p><span style=\"background-color: transparent;\">This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.</span></p><br><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617: Reachable Assertion"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-03-30T15:28:57.572Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5170", "state": "PUBLISHED", "dateUpdated": "2026-03-30T16:02:37.318Z", "dateReserved": "2026-03-30T15:16:59.378Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2026-03-30T15:28:57.572Z", "assignerShortName": "mongodb"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A user with access to the cluster with a limited set of privilege actions can trigger a crash of a\u00a0mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.\n\nThis issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31."}, {"lang": "es", "value": "Un usuario con acceso al cl\u00faster con un conjunto limitado de acciones de privilegio puede desencadenar una ca\u00edda de un proceso mongod durante la ventana limitada e impredecible cuando el cl\u00faster est\u00e1 siendo promovido de un conjunto de r\u00e9plicas a un cl\u00faster fragmentado. Esto puede causar una denegaci\u00f3n de servicio al derribar el primario del conjunto de r\u00e9plicas.\n\nEste problema afecta a MongoDB Server v8.2 versiones anteriores a 8.2.2, MongoDB Server v8.0 versiones entre 8.0.18, MongoDB Server v7.0 versiones entre 7.0.31."}], "id": "CVE-2026-5170", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2026-03-30T16:16:10.610", "references": [{"source": "cna@mongodb.com", "url": "https://jira.mongodb.org/browse/SERVER-101758"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "cna@mongodb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.2,8.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0,8.0.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0,7.0.31)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MongoDB Server", "source": "cna", "vendor": "MongoDB"}, "product": "mongodb_server", "vendor": "mongodb"}], "analysis": {"en": {"generated_at": "2026-03-30T17:51:35.724676+00:00", "value": {"mitigation_remediation": ["Upgrade MongoDB Server to 8.2.2 or later, to 8.0.18 or later, or to 7.0.31 or later.", "If an immediate upgrade is not possible, avoid promoting a replica set to a sharded cluster until the vulnerability is resolved.", "Ensure the cluster is not in promotion mode before making topology changes.", "Monitor for unexpected mongod crashes and set up alerts or automatic restarts.", "Maintain recent backups of data before altering cluster configuration."], "summary": {"action": "Patch Now", "impact": "Denial of Service from mongod crash during sharded promotion"}, "threat_synthesis": {"affected_systems": "MongoDB Server versions 8.2 prior to 8.2.2, 8.0 up to 8.0.18, and 7.0 up to 7.0.31 are impacted. Any deployment that performs a replica set to sharded cluster promotion using these releases is at risk.", "description_and_impact": "A privileged user with a limited set of cluster actions can trigger a crash of the mongod primary when a replica set is being promoted to a sharded cluster. The crash causes the primary to fail, resulting in a denial of service that interrupts cluster availability. The flaw is a crash bug classified under CWE\u2011617.", "risk_and_exploitability": "The CVSS score of 6 indicates a moderate severity level. Exploitation requires the attacker to be authenticated and to act during the narrow window when the cluster is undergoing promotion, which reduces the likelihood of successful attacks. No known large\u2011scale exploitation has been reported, and the vulnerability is not listed in the known\u2011exploited catalog, but the potential for service disruption warrants prompt action."}}}}, "created": "2026-03-30T20:55:35.519072+00:00", "updated": "2026-03-31T20:40:51.790695+00:00", "vendors": ["mongodb", "mongodb$PRODUCT$mongodb_server"]}