CVE-2026-25611 – MongoDB Server Pre-Authentication Memory Exhaustion Denial of Service

MongoDB patched a denial-of-service vulnerability that allows unauthenticated attackers to crash a MongoDB server by exhausting system memory. The issue occurs when a server processes a series of specially crafted network messages that trigger asymmetric resource consumption. An attacker can repeatedly send these messages to rapidly consume available memory and force the database process to terminate.

The vulnerability affects MongoDB Server versions prior to 8.2.4, 8.0.18, and 7.0.29. Because the attack requires no authentication and can be triggered over the network, exposed database instances could be disrupted remotely. CVE-2026-25611 has a CVSS score of 7.5, which is High severity.

MongoDB addressed the issue by improving resource handling during message processing to prevent malicious requests from exhausting server memory.