CVE-2026-5170 is a vulnerability identified in MongoDB Server affecting versions 7.0 (up to 7.0.31), 8.0 (up to 8.0.18), and 8.2 (prior to 8.2.2). The issue arises from a reachable assertion failure (CWE-617) that can be triggered by a user possessing limited privileges within the cluster. Specifically, during the limited and unpredictable time window when a MongoDB cluster is being promoted from a replica set to a sharded cluster, the attacker can cause the mongod process on the primary node to crash. This crash results in a denial of service condition by taking down the primary replica set member, potentially disrupting database availability. The vulnerability requires network access and privileges to perform certain cluster actions but does not require user interaction or elevated privileges beyond the limited set. The assertion failure is reachable due to insufficient handling of state transitions during cluster promotion, leading to process termination. Although no public exploits have been reported, the vulnerability poses a risk to environments that utilize sharded clusters and replica sets, especially during cluster reconfiguration or scaling operations. MongoDB has addressed this issue in versions 8.2.2 and later, 8.0.19 and later, and 7.0.32 and later. The CVSS v4.0 score is 6.0, reflecting a medium severity with network attack vector, high impact on availability, and requiring low privileges but high attack complexity.

The primary impact of CVE-2026-5170 is denial of service caused by crashing the primary node of a MongoDB replica set during cluster promotion to a sharded cluster. This can lead to temporary unavailability of database services, affecting applications relying on MongoDB for critical data storage and real-time operations. In distributed environments, the loss of the primary can trigger failover procedures, which may cause latency or downtime until a new primary is elected. For organizations with high availability requirements or those using sharded clusters for scalability, this disruption can impact business continuity, customer experience, and operational workflows. Additionally, repeated exploitation during cluster promotions could destabilize the cluster, increasing administrative overhead and risk of data inconsistency if failover mechanisms are stressed. Although the vulnerability does not allow data exfiltration or privilege escalation, the availability impact alone can be significant in sectors such as finance, healthcare, e-commerce, and cloud service providers that depend heavily on MongoDB clusters.

Organizations should upgrade affected MongoDB Server versions to the fixed releases: 8.2.2 or later, 8.0.19 or later, and 7.0.32 or later. Until patching is possible, administrators should minimize the frequency of cluster promotions or reconfigurations that trigger the vulnerable code path. Restrict network access to MongoDB cluster management interfaces to trusted administrators and limit privileges to only necessary users to reduce the risk of exploitation. Implement monitoring and alerting for unexpected mongod process crashes or replica set failovers to detect potential exploitation attempts promptly. Consider scheduling cluster promotions during maintenance windows with reduced load and increased operational oversight. Review and harden MongoDB security configurations, including authentication and role-based access control, to ensure that only authorized users can perform cluster management actions. Finally, maintain regular backups and test failover procedures to mitigate the impact of unexpected outages.