Cyber Resilience

CVE-2026-1848

HighDDoS

Published: 10 February 2026

Published
10 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1848 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-1848 is a denial-of-service vulnerability in the MongoDB server. Connections received from the proxy port do not count toward the total accepted connections limit, which can result in server crashes when the total number of connections exceeds available resources. This issue applies only to connections accepted from the proxy port while pending the proxy protocol header. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction. By sending a large number of connections to the proxy port before the proxy protocol header is fully processed, attackers bypass the server's connection counting mechanism, leading to resource exhaustion and server crashes that disrupt availability.

Mitigation details are documented in the MongoDB Jira ticket at https://jira.mongodb.org/browse/SERVER-114695.

EU & UK References

Vulnerability details

Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol…

more

header.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of a public-facing MongoDB server (T1190) via unauthenticated connections to trigger application-level resource exhaustion and DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1850Same product: Mongodb Mongodb
CVE-2026-1847Same product: Mongodb Mongodb
CVE-2026-4358Same product: Mongodb Mongodb
CVE-2025-14847Same product: Mongodb Mongodb
CVE-2026-1849Same product: Mongodb Mongodb
CVE-2026-8336Same product: Mongodb Mongodb
CVE-2026-8053Same product: Mongodb Mongodb
CVE-2026-4148Same product: Mongodb Mongodb
CVE-2026-8201Same product: Mongodb Mongodb
CVE-2025-0755Same product: Mongodb Mongodb

Affected Assets

mongodb
mongodb
7.0.0 — 7.0.29 · 8.0.0 — 8.0.18 · 8.2.0 — 8.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

SC-5 directly protects against denial-of-service attacks by limiting effects of resource-exhausting connection floods targeting the proxy port.

prevent

AC-10 enforces limits on concurrent connections, mitigating exhaustion from uncounted proxy port sessions.

prevent

SC-6 employs resource allocation throttling and exhaustion prevention techniques to protect against proxy connection overloads.

References