Invariant failure in applyOps
Description
A specially crafted applyOps operation can trigger an invariant failure, causing MongoDB Server 3.6 and 4.0 to crash (denial of service).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted applyOps operation can trigger an invariant failure, causing MongoDB Server 3.6 and 4.0 to crash (denial of service).
Vulnerability
A user authorized to execute database queries can issue a specially crafted applyOps command that triggers an invariant failure in the server. This denial-of-service vulnerability affects MongoDB Server v4.0 versions prior to 4.0.10 and v3.6 versions prior to 3.6.13 [1]. The flaw is classified under CWE-20 Improper Input Validation.
Exploitation
An attacker must have valid authentication and authorization to perform database queries on the target MongoDB instance. The attack is conducted remotely over the network, requires no user interaction, and the attacker can trigger the crash by sending a single malicious applyOps request [1]. The CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Impact
Successful exploitation results in a denial of service, causing the MongoDB server process to crash. No data is disclosed or modified; the integrity and availability of the database service are degraded until the server is restarted [1].
Mitigation
MongoDB addressed this issue in versions 4.0.10 and 3.6.13. Users running affected versions should upgrade immediately to the patched release [1]. No workarounds are mentioned in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MongoDB Inc./MongoDB Serverv5Range: 3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- jira.mongodb.org/browse/SERVER-35636mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.