Vulnerability CVE-2026-6914: Information

Description

Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server. This issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32

Severity: HIGH (7.1)

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Severity: HIGH (7.5)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-6914

Published: April 29, 2026

Modified: May 6, 2026

Error type identifier: CWE-191

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
mongo7.0	sisyphus	7.0.32-alt1	7.0.32-alt1	ALT-PU-2026-7104-1	417097	Fixed
mongo7.0	p11	7.0.32-alt1	7.0.32-alt1	ALT-PU-2026-7129-2	417098	Fixed
mongo7.0	c10f2	7.0.32-alt0.c10f2.1	7.0.32-alt0.c10f2.1	ALT-PU-2026-7138-2	417158	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://jira.mongodb.org/browse/SERVER-119981	Issue Tracking Patch

Affected configurations:
1. cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  7.0.0
  End excluding
  7.0.32
  cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  8.0.0
  End excluding
  8.0.21
  cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
  Start including
  8.1.0
  End excluding
  8.2.7

Version: v26.5.1