Skip to content
Percona Software for MongoDB Documentation

Rate this page
Thanks for your feedback
Thank you! The feedback has been submitted.

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Percona Server for MongoDB 7.0.37-20 (2026-06-23)

Installation Upgrade from MongoDB Community

Percona Server for MongoDB 7.0.37-20 is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.

Percona Server for MongoDB 7.0.37-20 includes the improvements and bug fixes of:

Upgrade recommendation

This release contains multiple high-severity security fixes affecting all Percona Server for MongoDB 7.0.x versions. We strongly recommend upgrading to version 7.0.37-20 as soon as possible.

Improvements

  • PSMDB-2038: Percona Server for MongoDB now exposes LDAP userToDN cache statistics through the serverStatus command. These metrics provide visibility into cache utilization and effectiveness, helping administrators troubleshoot LDAP authentication latency, validate cache behavior after configuration changes, and optimize cache sizing for their workloads. The new ldap.userToDNCache section reports runtime information such as cache usage, hits, misses, and invalidations, making LDAP authentication performance easier to monitor and tune.

  • PSMDB-2071: Enhanced oplog record parsing to better handle legacy oplog entries that may be present after upgrades from older major versions. This improvement increases compatibility with upgraded deployments by correctly processing oplog records that contain fields no longer used in current releases.

Bugs fixed

  • PSMDB-1977: Resolved an issue where Docker-based MongoDB instances could fail to start when replication settings were defined in mongod.conf.

  • PSMDB-2039: Fixed an issue where PSMDB packages built on a newer Amazon Linux 2023 release failed to install on systems running older AL2023 updates. Package installation now works as expected across supported Amazon Linux 2023 versions.

Security updates

Affected versions

These vulnerabilities affect the following versions:

  • All Percona Server for MongoDB 7.0.x versions

High severity

  • SERVER-128125 (CVE-2026-11933): A use-after-free vulnerability was identified in MongoDB Server’s server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who can execute server-side JavaScript (e.g., via $where or $function) may trigger access to freed memory, which could result in information disclosure from the mongod process memory or a denial of service through a server crash.

  • SERVER-125063 (CVE-2026-9740): A vulnerability in the BSON validator allows an unauthenticated user to supply specially crafted input that could cause the mongod process to terminate unexpectedly, resulting in a denial-of-service condition.

  • SERVER-124959 (CVE-2026-9753): A vulnerability in the $_internalApplyOplogUpdate aggregation stage allows an authenticated user to supply specially crafted input that could cause the server process to terminate unexpectedly.

  • SERVER-123440 (CVE-2026-9752): Inserting specially crafted documents into a collection with a 2dsphere index could cause the mongod process to terminate unexpectedly, leading to a server crash.

  • SERVER-123633 (CVE-2026-9750): A vulnerability in query execution allows an authenticated user to create specially crafted documents that interfere with internal metadata processing. This can cause the server process to terminate unexpectedly and may result in incorrect query results.

  • SERVER-124031 (CVE-2026-9749): Aggregation pipelines that use the internal $exchange stage with key-range partitioning can trigger an unexpected condition when processing large numbers of documents for a single key range. This can cause the server process to terminate unexpectedly.

  • SERVER-123951 (CVE-2026-9748): Under specific conditions, using the internal $_internalConvertBucketIndexStats stage together with $facet can cause the mongod process to terminate unexpectedly.

  • SERVER-123918 (CVE-2026-9747): A vulnerability triggered by using fromRouter: true together with runtimeConstants.userRoles can cause the mongod process to terminate unexpectedly.

  • SERVER-124190 (CVE-2026-9746): A vulnerability in the use of $changeStream, $_requestReshardingResumeToken, and the exchange option can cause the mongod process to terminate unexpectedly. An authenticated user can trigger this behavior without requiring any special privileges.

Medium severity

  • SERVER-123370 (CVE-2026-9751): Percona Server for MongoDB no longer logs sensitive parameter values when they are modified using the runtime setParameter command. Previously, parameters such as ldapQueryPassword could be written to mongod.log in plain text, potentially exposing credentials.

    This applies to all setParameter operations. Parameters marked as sensitive are automatically redacted from log output, and values associated with unrecognized parameter names are also redacted to prevent accidental exposure caused by typographical errors.

Tools packaged with this release

Percona Server for MongoDB packages the following MongoDB tools: