CVE-2026-25612 HIGH

CVE-2026-25612: Internal ResourceId collision may affect unrelated collections

Vendor Mongodb Inc
Product MongoDB Server
Weakness CWE-412
Published February 10, 2026
Last update February 10, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.

Key dates

02Disclosure timeline

February 10, 2026 CVE published
February 10, 2026 Record updated