MongoDB MCP Server
Official MongoDB MCP server for database operations, Atlas cloud management, local deployments, and knowledge base access
Score Breakdown
Server Info
- Package
- mongodb-mcp-server
- Registry
- npm
- Repository
- mongodb-js/mongodb-mcp-server
- Maintainer
- MongoDBVendor
- Category
- Developer Tools
- Tags
- nosqldatabasemongodb
- Last Scanned
- 7 Apr 2026
Findings
7 issuesAuthentication & Identity
MEDIUMHTTP/SSE transport supports per-request credentials
Supports both stdio and StreamableHTTP transports. MongoDB connection string passed via MDB_MCP_CONNECTION_STRING env var or CLI argument. Atlas API auth via OAuth client credentials (MDB_MCP_API_CLIENT_ID/SECRET). No MCP OAuth spec implementation. Config also supports MDB_MCP_ prefix for all settings.
Implement the MCP OAuth spec so users authenticate directly without platform mediation.
Tool Schema Quality
HIGHRequired fields missing on 2 write operations
Write tools without required field declarations: switch-connection, atlas-local-create-deployment.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 6 of 46 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: aggregate tool allows $out/$merge stages which can write data, though this is blocked in readOnly mode
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
Excellent permission granularity. Tools are separated by operationType (metadata/read/create/update/delete/connect) and category (mongodb/atlas/atlas-local/assistant). Config supports readOnly mode, disabledTools list (by name, category, or operation type), and confirmationRequiredTools for destructive operations. The aggregate tool is the only mixed read/write tool as it can execute $out/$merge stages. Tool annotations include readOnlyHint and destructiveHint.
Split into separate read and write tools.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM5 list operations lack pagination
Find tool supports projection (field selection), limit with configurable defaults (10 docs), and responseBytesLimit (1MB default). Aggregate tool has configurable maxDocumentsPerQuery and maxBytesPerQuery limits. Export tool provides full result export to resources. Atlas list operations use hardcoded itemsPerPage=500 without pagination controls. List-databases and list-collections return all results without pagination.
Add limit/offset or cursor-based pagination.
Tools
46 total| Name | Description | Risk |
|---|---|---|
| connect | Connect to a MongoDB instance. The config resource captures if the server is already connected to a MongoDB cluster. If the user has configured a connection string or has previously called the connect tool, a connection is already established and there's no need to call this tool unless the user has explicitly requested to switch to a new MongoDB cluster. | write |
| switch-connection | Switch to a different MongoDB connection. If the user has configured a connection string or has previously called the connect tool, a connection is already established and there's no need to call this tool unless the user has explicitly requested to switch to a new instance. | write |
| list-databases | List all databases for a MongoDB connection | read |
| list-collections | List all collections for a given database | read |
| collection-indexes | Describe the indexes for a collection | read |
| collection-schema | Describe the schema for a collection | read |
| collection-storage-size | Gets the size of the collection | read |
| db-stats | Returns statistics that reflect the use state of a single database | read |
| mongodb-logs | Returns the most recent logged mongod events | read |
| explain | Returns statistics describing the execution of the winning plan chosen by the query optimizer for the evaluated method | read |
| find | Run a find query against a MongoDB collection | read |
| count | Gets the number of documents in a MongoDB collection using db.collection.count() and query as an optional filter parameter | read |
| aggregate | Run an aggregation against a MongoDB collection | read |
| export | Export a query or aggregation results in the specified EJSON format. | read |
| insert-many | Insert an array of documents into a MongoDB collection. If the list of documents is above com.mongodb/maxRequestPayloadBytes, consider inserting them in batches. | write |
| create-index | Create an index for a collection | write |
| create-collection | Creates a new collection in a database. If the database doesn't exist, it will be created automatically. | write |
| update-many | Updates all documents that match the specified filter for a collection. If the list of documents is above com.mongodb/maxRequestPayloadBytes, consider updating them in batches. | write |
| rename-collection | Renames a collection in a MongoDB database | write |
| delete-many | Removes all documents that match the filter from a MongoDB collection | admin |
| drop-collection | Removes a collection or view from the database. The method also removes any indexes associated with the dropped collection. | admin |
| drop-database | Removes the specified database, deleting the associated data files | admin |
| drop-index | Drop an index for the provided database and collection. | admin |
| atlas-list-orgs | List MongoDB Atlas organizations | read |
| atlas-list-projects | List MongoDB Atlas projects | read |
| atlas-list-clusters | List MongoDB Atlas clusters | read |
| atlas-inspect-cluster | Inspect metadata of a MongoDB Atlas cluster | read |
| atlas-inspect-access-list | Inspect Ip/CIDR ranges with access to your MongoDB Atlas clusters. | read |
| atlas-list-db-users | List MongoDB Atlas database users | read |
| atlas-list-alerts | List MongoDB Atlas alerts | read |
| atlas-get-performance-advisor | Get MongoDB Atlas performance advisor recommendations and suggestions | read |
| atlas-connect-cluster | Connect to MongoDB Atlas cluster | write |
| atlas-create-free-cluster | Create a free MongoDB Atlas cluster | write |
| atlas-create-access-list | Allow Ip/CIDR ranges to access your MongoDB Atlas clusters. | write |
| atlas-create-db-user | Create an MongoDB Atlas database user | admin |
| atlas-create-project | Create a MongoDB Atlas project | write |
| atlas-streams-discover | Discover Atlas Stream Processing resources | read |
| atlas-streams-build | Build Atlas Stream Processing pipelines | write |
| atlas-streams-manage | Manage Atlas Stream Processing pipelines | write |
| atlas-streams-teardown | Teardown Atlas Stream Processing resources | admin |
| atlas-local-list-deployments | List MongoDB Atlas local deployments | read |
| atlas-local-create-deployment | Create a MongoDB Atlas local deployment | write |
| atlas-local-connect-deployment | Connect to a MongoDB Atlas Local deployment | write |
| atlas-local-delete-deployment | Delete a MongoDB Atlas local deployment | admin |
| search-knowledge | Search for information in the MongoDB Assistant knowledge base. This includes official documentation, curated expert guidance, and other resources provided by MongoDB. Supports filtering by data source and version. | read |
| list-knowledge-sources | List available data sources in the MongoDB Assistant knowledge base. Use this to explore available data sources or to find search filter parameters to use in search-knowledge. | read |
Deploy MongoDB MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow