On January 02, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a critical MongoDB Server vulnerability, "MongoBleed" (CVE-2025-14847), by January 19, 2026. This high-severity flaw allows unauthenticated attackers to leak sensitive data from self-managed MongoDB instances. MongoDB Atlas users were automatically protected; however, self-hosted deployments require immediate upgrades to fixed versions or disabling zlib compression. CISA confirmed active exploitation of the vulnerability, added to its KEV catalog on December 29, 2025.