CVE-2025-10491

MongoDB Windows installation MSI may leave ACLs unset on custom installation directories

Description

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

INFO

Published Date :

2025-09-15T16:04:54.221Z

Last Modified :

2026-02-26T17:48:37.469Z

Source :

mongodb

AFFECTED PRODUCTS

The following products are affected by CVE-2025-10491 vulnerability.

Vendors	Products
Microsoft	Windows
Mongodb	Mongodb

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-10491.

URL	Resource
https://jira.mongodb.org/browse/SERVER-51366

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact