Vulnerability CVE-2026-5170: Information

Description

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.

Severity: MEDIUM (6.0)

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Severity: MEDIUM (5.3)

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-5170

Published: March 30, 2026

Modified: April 2, 2026

Error type identifier: CWE-617

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
mongo7.0	sisyphus	7.0.31-alt1	7.0.32-alt1	ALT-PU-2026-4905-2	412112	Fixed
mongo7.0	p11	7.0.31-alt1	7.0.32-alt1	ALT-PU-2026-4911-3	412113	Fixed
mongo7.0	c10f2	7.0.31-alt0.c10f2.1	7.0.32-alt0.c10f2.1	ALT-PU-2026-4915-3	412114	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://jira.mongodb.org/browse/SERVER-101758	Patch Vendor Advisory

Affected configurations:
1. cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  7.0.0
  End excluding
  7.0.31
  cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  8.0.0
  End excluding
  8.0.18
  cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  8.2.0
  End excluding
  8.2.2

Version: v26.5.1