{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25612", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2026-02-03T18:21:58.986Z", "datePublished": "2026-02-10T18:05:23.851Z", "dateUpdated": "2026-02-10T18:59:27.442Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Server", "vendor": "MongoDB Inc", "versions": [{"lessThan": "8.2.4", "status": "affected", "version": "8.2", "versionType": "semver"}, {"lessThan": "8.0.18", "status": "affected", "version": "8.0", "versionType": "semver"}, {"lessThan": "7.0.29", "status": "affected", "version": "7.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks."}], "value": "The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-412", "description": "CWE-412 Unrestricted Externally Accessible Lock", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T18:05:23.851Z"}, "references": [{"url": "https://jira.mongodb.org/browse/SERVER-114838"}, {"url": "https://jira.mongodb.org/browse/SERVER-115296"}], "source": {"discovery": "UNKNOWN"}, "title": "Internal ResourceId collision may affect unrelated collections", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T18:59:20.305133Z", "id": "CVE-2026-25612", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T18:59:27.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25612", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T18:59:20.305133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T18:59:24.564Z"}}], "cna": {"title": "Internal ResourceId collision may affect unrelated collections", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2.4", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.0.18", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.0.29", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-114838"}, {"url": "https://jira.mongodb.org/browse/SERVER-115296"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.", "supportingMedia": [{"type": "text/html", "value": "The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-412", "description": "CWE-412 Unrestricted Externally Accessible Lock"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T18:05:23.851Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25612", "state": "PUBLISHED", "dateUpdated": "2026-02-10T18:59:27.442Z", "dateReserved": "2026-02-03T18:21:58.986Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2026-02-10T18:05:23.851Z", "assignerShortName": "mongodb"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks."}, {"lang": "es", "value": "El mecanismo de bloqueo interno del servidor MongoDB utiliza una codificaci\u00f3n interna de los recursos para elegir qu\u00e9 bloqueo tomar. Las colecciones pueden colisionar inadvertidamente entre s\u00ed en esta representaci\u00f3n, causando indisponibilidad entre ellas debido a bloqueos conflictivos."}], "id": "CVE-2026-25612", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2026-02-10T18:16:37.623", "references": [{"source": "cna@mongodb.com", "url": "https://jira.mongodb.org/browse/SERVER-114838"}, {"source": "cna@mongodb.com", "url": "https://jira.mongodb.org/browse/SERVER-115296"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-412"}], "source": "cna@mongodb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.2,8.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0,8.0.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0,7.0.29)"}}], "product": "mongodb", "vendor": "mongodb"}], "analysis": {"en": {"generated_at": "2026-04-17T20:35:12.185158+00:00", "value": {"mitigation_remediation": ["Check MongoDB release notes for a patch addressing issues SERVER-114838 or SERVER-115296 and apply the update if available.", "If no fix exists, reduce or serialize the concurrency of operations that target collection groups likely to share internal resource identifiers, thereby minimizing the chance of lock collisions.", "Enable and monitor lock\u2011related logging or diagnostics to detect and alert on unexpected lock conflicts, allowing rapid response to service disruptions."], "summary": {"action": "Assess Impact", "impact": "Denial of Service via lock collision"}, "threat_synthesis": {"affected_systems": "MongoDB Server accounts for all versions of the product, with no specific affected version range announced. Any deployment using the internal locking system is potentially susceptible to this collision behavior.", "description_and_impact": "The vulnerability stems from MongoDB Server\u2019s internal locking mechanism, which uses an encoded resource identifier to decide which lock to acquire. If two collections generate the same encoded identifier, the resulting lock collisions can render one or both collections unavailable. This flaw represents a concurrency issue (CWE-412) that can lead to service interruption for affected collections.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate severity. The EPSS score of less than 1% suggests exploitation probability is currently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be internal or local, as the issue requires concurrent operations that share the same internal resource identifier; details on external exploitation are not provided. Exploitation would involve orchestrating parallel workloads that collide on the encoded resource IDs, thereby triggering lock conflicts and rendering collections temporarily unavailable."}}}}, "created": "2026-02-11T21:52:07.288703+00:00", "updated": "2026-04-17T20:45:25.761541+00:00", "vendors": ["mongodb", "mongodb$PRODUCT$mongodb"]}