Medium severity5.3NVD Advisory· Published Mar 30, 2026· Updated Apr 2, 2026

CVE-2026-5170

Description

A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set.

This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31.

Affected products

MongoDB/MongoDB
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Range: >=7.0.0,<7.0.31

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jira.mongodb.org/browse/SERVER-101758nvdPatchVendor Advisory

News mentions

Worm rubs out competitor's malware, then takes control
The Register Security · May 8, 2026
The Good, the Bad and the Ugly in Cybersecurity – Week 19
SentinelOne Labs · May 8, 2026
VECT: Ransomware by design, Wiper by accident
Check Point Research · Apr 28, 2026
Ongoing supply-chain attack 'explicitly targeting' security, dev tools
The Register Security · Apr 27, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000