CVE-2025-10491 HIGH

CVE-2025-10491: MongoDB Windows installation MSI may leave ACLs unset on custom installation directories

Vendor Mongodb Inc

Product MongoDB Server

Weakness CWE-284

Published September 15, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

7.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

Key dates

02Disclosure timeline

September 15, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10491

Related vulnerabilities

Identifiers

CVE CVE-2025-10491

CWE CWE-284

CVSS 7.8 / HIGH

Affected versions

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 6.0 and < 6.0.25

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 7.0 and < 7.0.21

Vendor Mongodb Inc

Product MongoDB Server

Affected ≥ 8.0 and < 8.0.5

CVE-2025-10491: MongoDB Windows installation MSI may leave ACLs unset on custom installation directories

01Description

02Disclosure timeline

03References

04Related CVE