CVE-2026-1848
Published: 10 February 2026
Summary
CVE-2026-1848 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2026-1848 is a denial-of-service vulnerability in the MongoDB server. Connections received from the proxy port do not count toward the total accepted connections limit, which can result in server crashes when the total number of connections exceeds available resources. This issue applies only to connections accepted from the proxy port while pending the proxy protocol header. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction. By sending a large number of connections to the proxy port before the proxy protocol header is fully processed, attackers bypass the server's connection counting mechanism, leading to resource exhaustion and server crashes that disrupt availability.
Mitigation details are documented in the MongoDB Jira ticket at https://jira.mongodb.org/browse/SERVER-114695.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7064
Vulnerability details
Connections received from the proxy port may not count towards total accepted connections, resulting in server crashes if the total number of connections exceeds available resources. This only applies to connections accepted from the proxy port, pending the proxy protocol…
more
header.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing MongoDB server (T1190) via unauthenticated connections to trigger application-level resource exhaustion and DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly protects against denial-of-service attacks by limiting effects of resource-exhausting connection floods targeting the proxy port.
AC-10 enforces limits on concurrent connections, mitigating exhaustion from uncounted proxy port sessions.
SC-6 employs resource allocation throttling and exhaustion prevention techniques to protect against proxy connection overloads.